Cloud storage service Mega.nz revealed that it was hacked on Tuesday, September 4, and users who had installed the service’s Chrome browser extension may have had their passwords to other internet services compromised. The malicious version of the browser extension was uploaded to the Chrome web store by hackers in an effort to gain access to user’s logins for sites such as Amazon, Google, GitHub, and Microsoft. The passwords were sent to a Ukraine-based server.
“On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome webstore,” Mega.nz said in a blog post. “You are only affected if you had the MEGA Chrome extension installed at the time of the incident, auto update enabled and you accepted the additional permission, or if you freshly installed version 3.39.4.” Users accessing the service by typing in the URL into the browser are not affected.
In order to gain access to your passwords, Mega.nz explained that the malicious extension asks for elevated permissions, such as the ability to read and change data on all websites you visited, something that the legitimate version of the extension does not require or ask for. If you’re downloading a browser extension, computer program, or app from the internet — even from what is believed to be a trusted source, as this case proves — you should always review what permissions you’re granting. Additionally, users should also try to limit what they install to stay safe.
Users who downloaded the hacked version of the Chrome extension are advised to change their passwords for any affected sites that they use, including amazon.com, live.com, github.com, google.com (for web store login), myetherwallet.com, mymonero.com, and idex.market. Additionally, if you had submitted any information through web forms as plain text, hackers may have been able to capture that information as well.
It’s not immediately clear how hackers were able to hijack Mega.nz’s account to upload the malicious version of the browser extension to the Chrome web store or how many users were affected, though Mega.nz boasts having 100 million registered users. After the breach was discovered, Mega.nz uploaded a clean version of the extension, version 3.39.5, to the Chrome web store. If you had downloaded the trojanized version of the extension, the browser extension should auto-update to the clean version. Google has also removed the malicious version of the extension.
The best bet to stay safe when it comes to browser extension is to not download any extension you won’t need. Like malicious apps, there have been reports in the past of malicious extensions. However, as the incident with Mega.nz demonstrates, even legitimate extension can be hacked, leaving your passwords exposed.