Mega data leak: Over 15,000 email addresses, passwords and file names exposed

• The leaked text file contained over 15,500 usernames, passwords and files names.
• The listed information dated between Mega’s debut in 2013 to as recently as January.

Thousands of login credentials and account details linked to New Zealand-based file storage service Mega have reportedly been exposed online. Digita Security co-founder and chief research officer Patrick Wardle reportedly discovered a text file in June that contained over 15,500 usernames, passwords and files names, ZDNet reports.

The exposed cache suggests the Mega accounts were improperly accessed and relevant data scraped.

According to Wardle, the text file had been uploaded to malware analysis site VirusTotal by a user supposedly from Vietnam a few months ago.

ZDNet verified the authenticity of the information by contacting several impacted users who confirmed that the email address, passwords and some of the files shown to them were used on Mega. The exposed data are dated from Mega’s debut in 2013 to as recently as January.

Credential stuffing or data breach?

Security researcher and Have I Been Pwned creator Troy Hunt told ZDNet that the exposed text file is likely a result of credential stuffing rather a breach of Mega’s systems. In credential stuffing attacks, attackers automatically inject stolen username/password pairs in order to gain access to accounts on targeted websites.

Troy noted that 98 percent of the email addresses found in the file had already been accessed in prior breaches cached in his database. Around 87 percent of the accounts in the Mega file was found in the collection of 2,844 data breaches uploaded to Have I Been Pwned in February.

Mega chairman Stephen Hall also said the exposed credentials pointed to credentials stuffing, and not a breach of the company’s systems. He added that the text file contained data on just " 0.0001 percent of our 115 million registered users."

Although Mega claims to offer end-to-end encryption, the site doesn’t allow for two-factor authentication. Hall said the company will “soon” introduce this security feature for Mega users.

ZDNet further reported that one of the accounts in the text file seemed to describe child abuse content. The publisher said it has notified authorities.

"Mega has zero tolerance for child sexual abuse materials," Hall told ZDNet. "Any reports result in links being deactivated immediately, the user's account closed and the details provided to the authorities."

"Mega can't act as censor by examining content as it is encrypted at the user's device before being transferred to Mega. As well as it being technically impossible, it is also practically infeasible for Mega and other major cloud storage providers, with 100s of files being uploaded each second."