Thousands of MEGA Logins Exposed Using Credential Stuffing

Jeff Dugan

Thousands of credentials from MEGA accounts have been dumped online, all contained in a text file.

The popular cloud storage and file hosting service Mega is known for its tough security measures: all files encrypted locally before they are uploaded. But chief research officer and co-founder at Digita Security, Patrick Wardle, found a text file in June that contained over 15,500 usernames, passwords, and files names. The file had been uploaded to a malware analysis site, called VirusTotal, some months earlier.

The source of the data was verified after several users confirmed that email addresses, passwords, and some of the files they were showed were used on Mega. The leaked data has been found to date as far back as 2013 – the year of the cloud service’s debut – and as recent as January of this year.

There Was No Breach

The leak was not MEGA’s responsibility, instead, further analysis revealed that the data was already exposed in other breaches. What hackers did is known as credential stuffing, a practice that involves collecting credentials from breaches and then testing them out against different websites to see which ones work. The analysis revealed that:

  • 98% of the email addresses in the file had already been exposed in a previous breach
  • Around 87% of the accounts in the Mega file were found in a massive collection of 2,844 data breaches

The analysis was conducted by Troy Hunt, an Australian web security expert who runs data breach notification site Have I Been Pwned.

The New Zealand based MEGA was launched in January of 2013 by German-Finnish Internet entrepreneur and political activist Kim Dotcom, the founder of now-defunct service Megaupload. Megaupload was closed after its founders were indicted for operating as an organization dedicated to copyright infringement.

Born Kim Schmitz, Dotcom achieved notoriety in Germany as a teen hacker who received a two-year suspended sentence for selling identities that he had siphoned from telephone operators’ client database. In 2015, he disassociated himself from the service and stated that the New Zealand government had seized the shares of a Chinese investor and has control of the site.

This is the second occurrence of credential stuffing being used to aggregate valid login information that we’ve reported on in less than a week. As such, we feel compelled to ask you to:

  • Enable two-factor authentication whenever possible
  • Create unique passwords for each of your online accounts

If memorizing all those passwords seems like a nuisance to you (understandably so), you can use a password manager. It’ll be worth your time.

Jeff Dugan
Jeff Dugan

Jeffrey is a veteran tech columnist and reviewer. His favorite hobby is scouring the internet for tips, tricks, and little-known tools to get the best out of the web.


Leave a Reply