The replacement application held code that could have let attackers steal users data, such as private information. In an announcement, the cloud storage service confirmed the breach: “On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome webstore,” the company writes in its blogpost detailing the breach. In its blog, the company urged users to prepare for the fact their credentials were compromised and to change them: “Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications.”
Extension Removed
Any data that was stolen was sent to a server in Ukraine. Mega says users who installed the extension or updated it during the compromise were affected. The update in question is version 3.39.4. If you are not on that build, your credentials should be fine. The extension has now been removed entirely from Google Chrome as the company investigates. Speaking of Google, Mega lay some of the blame on Chrome and recent policy changes: “Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise,” the company says.