Users' credentials leaked due to Mega Chrome extension hack extension was found to be affected by malware

Users' credentials leaked due to Mega Chrome extension hackMalware-related 3.39.4 Mega extension was used to expose users' credential details and steal private cryptocurrency keys.

On the 4th of September this year, there was a report about a hack which had the purpose to compromise a specific Google Chrome extension. The extension appeared in a malicious 3.39.4 version which was created to steal various users' sensitive information and private cryptocurrency keys[1].

The modified Google Chrome extension had capabilities to monitor logins to commonly known websites such as Amazon[2], Google, Microsoft and GitHub. The malware that was injected into a legitimate extension could have brought severe consequences as various personal information was revealed to random hackers.

Cryptocurrency wallets also turned out to be compromised

According to IT researchers, the malicious Chrome extension monitored sites and wallets such as MyMonero, MyEtherWallet, and[3]. Such hazardous activity was initiated to allow the hackers to steal users' private cryptocurrency keys. However, after checking the Firefox version, no harmful activity was found.

The modified Mega Chrome extension sent stolen information to another attacker and his/her server located in Ukraine. This server was also used to log in to victims' accounts, steal sensitive data, and get users' private cryptocurrency keys to complete thefts of digital currencies.

MEGA.NZ apologizes for the data breach and presents needed updates company has already apologized users for this cruel misunderstanding but did not forget the chance to blame Google for such a hack:

We would like to apologise for this significant incident. MEGA uses strict release procedures with multi-party code review, robust build workflow and cryptographic signatures where possible. Unfortunately, Google decided to disallow publisher signatures on Chrome extensions and is now relying solely on signing them automatically after upload to the Chrome webstore, which removes an important barrier to external compromise. MEGAsync and our Firefox extension are signed and hosted by us and could therefore not have fallen victim to this attack vector. While our mobile apps are hosted by Apple/Google/Microsoft, they are cryptographically signed by us and therefore immune as well.

The new and clean version of was updated by the company recently. It is called 3.39.5 and is the only safe one[4]. Google Play Store removed the extension from there web store five hours after the data exposure. However, users who still have the 3.39.4 variant of the malicious extension, should uninstall it immediately.

Moreover, it is advisable to change passwords of various accounts that were used since the malware-related extension was active. Sadly, according to the team, there is a chance that the malware could have compromised information that was located on such visited websites and accounts[5]:

Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications,” the company said.

About the author
Linas Kiguolis
Linas Kiguolis - Expert in social media

Linas Kiguolis is one of News Editors and also the Social Media Manager of 2spyware project. He is an Applied Computer Science professional whose expertise in cyber security is a valuable addition to the team.

Contact Linas Kiguolis
About the company Esolutions