File-sharing website Mega has had a storied history. Perhaps still best known as Megaupload in the Kim Dotcom era, the service is still hugely popular. Not shy of controversy, Mega is now facing a new round of problems. That’s because the company’s Chrome extension was replaced by a mimic containing malicious code.

The replacement application held code that could have let attackers steal users data, such as private information. In an announcement, the cloud storage service confirmed the breach:

“On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome webstore,” the company writes in its blogpost detailing the breach.

Mega says the extension looked for data from websites like Microsoft Live, Google, Github, Amazon, and others. The goal of the attack was to find user information. Additionally, the extension targeted private keys for cryptocurrency wallets.

In its blog, the company urged users to prepare for the fact their credentials were compromised and to change them:

“Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications.”

Extension Removed

Any data that was stolen was sent to a server in Ukraine. Mega says users who installed the extension or updated it during the compromise were affected. The update in question is version 3.39.4. If you are not on that build, your credentials should be fine.

The extension has now been removed entirely from Google Chrome as the company investigates. Speaking of Google, Mega lay some of the blame on Chrome and recent policy changes:

“Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise,” the company says.