Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security IT

Thousands of Mega Logins Dumped Online, Exposing User Files (zdnet.com) 30

Thousands of credentials for accounts associated with New Zealand-based file storage service Mega have been published online, ZDNet reports. From the report: The text file contains over 15,500 usernames, passwords, and files names, indicating that each account had been improperly accessed and file names scraped. Patrick Wardle, chief research officer and co-founder at Digita Security, found the text file in June after it had been uploaded to malware analysis site VirusTotal some months earlier by a user purportedly in Vietnam. Wardle passed the data to ZDNet. We verified that the data belonged to Mega, the file-sharing site formerly owned by internet entrepreneur Kim Dotcom by contacting several users, who confirmed that the email address, password, and some of the files we showed them were used on Mega.
This discussion has been archived. No new comments can be posted.

Thousands of Mega Logins Dumped Online, Exposing User Files

Comments Filter:
  • The way I remember Mega's demise is that their servers were confiscated semi-legally by the NZ authorities acting on behalf of the US authorities. Has a Mega backup found its way to the big wide world or have the authorities outed themselves as corrupt?
    My guess is the second option.
    Where did those servers (ok, their discs) end up?

    • Comment removed based on user account deletion
    • by ( 4475953 )

      His wife is involved in the company and for obvious reasons Dotcom has done the best he can to make sure he cannot be associated legally in any way with her company. Mega is about the only company that - again, for obvious reasons - takes end-user encryption seriously, which might make it a natural target for all kinds of entities that do not like the idea of having companies that do not store encryption keys or implement fuse key escrow. There is a vested interest in shattering Mega's reputation, which is

  • I have a Mega login. Wouldn't mind knowing whether it's been exposed.

    • I have a Mega login. Wouldn't mind knowing whether it's been exposed.

      Did you read TFA? If you didn't reuse your user name and password from another service than it hasn't. Mega itself hasn't been breached, it's just the old password reuse problem.

  • I'll admit it's been a few years since I even used the Mega account I signed up for, but if IIRC, during the setup process there was a part where I had to download my key that would be used for encryption, with the UI notifying me in bold font that "WITHOUT THIS KEY YOU CANNOT DECRYPT YOUR FILES -- WE DO NOT HAVE ACCESS TO YOUR KEY AND CANNOT ACCESS YOUR FILES".

    If this is so, what is the danger to an attacker getting access to Mega's servers?

    Did 1) something change with the way Mega was run, or 2) The attac

    • Did 1) something change with the way Mega was run, or 2) The attackers were somehow grabbing these keys, or 3) I didn't understand how the encryption was working?

      Are you able to access you files when you login? Mega's encryption works by using the user credentials to generate the key. TFA talks about this potentially being the result of credential stuffing (automating usernames and passwords from other leaks to attempt login on a different service), and given the small number of credentials leaked it would make sense.

      Don't reuse passwords on multiple websites.

  • It appears to be a case of credential stuffing. Credentials stolen from other sites were run against Mega looking for hits. Since many people have multiple accounts at Mega full of stuff they don't care to protect it is not surprising they found so many hits. I switched to unique passwords on everything after someone got into my paid Spotify account--what an incredible nuisance that was--but until you get burned it's easy to be complacent, especially about a throwaway download account.

  • Someone else will be able to access the copyrighted files you illegally distributed.

  • Finally! I forgot my password, and this is much easier than trying to recover it.

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...