MEGA Chrome extension stole credentials
Attackers used MEGA's Chrome Web Store account to publish extension v3.39.4. The update requested broader permissions and stole credentials and wallet secrets.
Story
The MEGA compromise was fast and public. On 2018-09-04 at about 14:30 UTC, an attacker accessed MEGA's Chrome Web Store developer account and uploaded version 3.39.4 of the official extension.
The malicious build asked for expanded permissions. Once installed or auto-updated, it could read credentials entered on sites such as Google, GitHub, Amazon, and cryptocurrency services including MyEtherWallet, MyMonero, and IDEX.
The extension exfiltrated captured data to megaopac.host, an attacker server reported in Ukraine. The prize was not only passwords; wallet private keys and exchange credentials made the browser extension a direct path to cryptocurrency theft.
MEGA replaced the extension with a clean release the same day and warned users to change passwords and rotate wallet secrets. This record tracks the Chrome Web Store package, not MEGA's cloud-storage service itself.
Affected Artifacts
MEGA Chrome extension
- Observed
- 2018-09-04
- Compromised Versions
-
- 3.39.4
- Fixed
- Not listed
- Evidence
- distribution: chrome.google.com/webstore/detail/mega/nlbmnnijcnlegkjjpcfjclmcfggfefdm, mirror: serhack.me/articles/mega-chrome-extension-hacked, domain: megaopac.host, permission: Expanded Chrome extension permissions requested by version 3.39.4. , +1 more
Incident Context
- Motive
- Credential Theft Cryptocurrency Theft
- Cause
- Compromised Developer Account
- Transitive
- No
- User Impact
- 1600000
External References
- MEGA Chrome Extension Hacked - Detailed Timeline of Eventsserhack.me
- Hackers replace MEGA Chrome extension with trojanized versionsecurityboulevard.com
- MEGA Chrome extension hacked, cryptocurrency and user passwords targetedbleepingcomputer.com
Source record: proprietary/mega-chrome/meta.yaml