The former NSA hacker Patrick Wardle, co-founder at Digita Security, discovered in June a text file containing over 15,500 usernames, passwords, and files names.
? Found file on VirusTotal w/ 15K+ Mega accounts (user names/passwords & users' file listings)
?? File listings included files names describing child abuse content
??♂️?? International law enforcement actively engaged
?? @zackwhittaker for writeup & collaboration! https://t.co/VIfsP6isj6
— patrick wardle (@patrickwardle) July 18, 2018
The presence of the files suggests that the threat actors that collected them also accessed to each account and listed its content.
Wardle discovered the file after it was uploaded to the VirusTotal service some months earlier by a user purportedly in Vietnam.
Wardle passed the data to ZDNet that verified the huge trove of data belongs to the Mega service.
ZDNet contacted many users that confirmed the authenticity of the content of the file.
The data appears to date back to 2013, when Kim Dotcom launched the service.
ZDNet asked the popular expert Troy Hunt, who runs the data breach notification site Have I Been Pwned, to analyze the files.
Hunt believes the hackers collected the credentials from other data breaches (credential stuffing).
98 percent of the addresses in the file had already been included in a previous data breach and listed in the Hunt’ service.
“Some 87 percent of the accounts in the Mega file were found in a massive collection of 2,844 data breaches that he uploaded to the service in February, said Hunt.” read the post published by ZDNet.
“Of those we contacted, five said that they had used the same password on different sites.”
Mega chairman Stephen Hall also confirmed the file is the result of credential stuffing.
Experts noticed the Mega service doesn’t implement two-factor authentication -making it easy for attackers to access an account once it will obtain the credentials from other breaches.
Mega logs the IP address of each user who accesses to an account and some users confirmed to have noticed suspicious logins accessing their account from countries in Eastern Europe, Russia, and South America since the file was uploaded.
“One of the accounts in the file contained file listings for what appeared to describe child abuse content. Given the nature of the account’s content, ZDNet informed the authorities.” continues ZDNet.
The illegal content was uploaded years earlier, suggesting that the account owner has store excluding any recent third-party involvement.
“Mega has zero tolerance for child sexual abuse materials,” said Hall. “Any reports result in links being deactivated immediately, the user’s account closed and the details provided to the authorities.”
“Mega can’t act as censor by examining content as it is encrypted at the user’s device before being transferred to Mega,” he said. “As well as it being technically impossible, it is also practically infeasible for Mega and other major cloud storage providers, with 100s of files being uploaded each second.”
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(Security Affairs – Mega, credential stuffing)