Tech publication ZDNet was sent a text file with usernames and passwords by United States-based security researcher Patrick Wardle who had found it on an anti-malware scanning site.
ZDNet was able to confirm the authenticity of the data leak by contacting several Mega users to verify the credentials.
The details in the text file include file listings, which indicate that the compromised accounts were accessed by intruders.
In one case, the account contained file listings that appeared to indicate child abuse content, which ZDNet said was reported to the police.
Chairman of Mega Stephen Hall, in an interview with The New Zealand Herald, said it was told about the data leak two weeks ago by ZDNet. The storage provider advised the publication that if anyone is aware of any accounts that contain illegal content they should report them to abuse@mega.nz.
“Mega has zero tolerance for child abuse and immediately closes the user’s account and refers the matter to the authorities, who applaud our prompt and effective response,” Hall said.
Hall said that the credentials spillage was likely caused by people using the same logins across multiple sites, rather than a breach of Mega’s own systems.
“We can’t verify how the credentials were obtained, but we can confirm that it was not from any breach of Mega’s systems, and that many users do use the same password over multiple sites, a number of which have been hacked,” Hall said.
The operator of login leaks alert site HaveIBeenPwned.com Troy Hunt concurred, saying the list was likely to be a case of “credential stuffing” or attackers using reused login details obtained from other data breaches.
Mega has not been provided with the list of compromised accounts and has been unable to warn them directly, Hall said.
The storage site can’t reset users’ passwords because it doesn’t have them, Hall said.
“We can’t reset passwords as we don’t hold passwords. A user must reset their password while logged in to Mega so they can retain access to their stored files,” Hall said.
Mega’s design means that encryption of files stored on the site takes place on users’ computers. This means there is no way for Mega to inspect users’ data.
While Mega does not yet have two-factor authentication to protect user accounts, Hall said the company has set up a new warning system that alerts users of unusual login patterns.
Mega has 115 million users Hall said. The company was set up by Kim Dotcom in 2013, but he soon fell out with the site management and investors and is no longer involved with the online storage company.
