File-sharing website Mega has had a storied history. Perhaps still best known as Megaupload in the Kim Dotcom era, the service is still hugely popular. Not shy of controversy, Mega is now facing a new round of problems. That's because the company's Chrome extension was replaced by a mimic containing malicious code.
The replacement application held code that could have let attackers steal users data, such as private information. In an announcement, the cloud storage service confirmed the breach:
“On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA's Chrome extension, version 3.39.4, to the Google Chrome webstore,” the company writes in its blogpost detailing the breach.
Mega says the extension looked for data from websites like Microsoft Live, Google, Github, Amazon, and others. The goal of the attack was to find user information. Additionally, the extension targeted private keys for cryptocurrency wallets.
In its blog, the company urged users to prepare for the fact their credentials were compromised and to change them:
“Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications.”
Any data that was stolen was sent to a server in Ukraine. Mega says users who installed the extension or updated it during the compromise were affected. The update in question is version 3.39.4. If you are not on that build, your credentials should be fine.
“Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise,” the company says.