1
bols59
32d

Approx. 24 hours ago I proceeded to use MEGA NZ to download a file It's something I've done before. I have an account with them.
This is part of the email I received from MEGA NZ following the dowload: "
zemenwambuis2015@gmail.com
YOUR MEGA ACCOUNT HAS BEEN LOCKED FOR YOUR SAFETY; WE SUSPECT THAT YOU ARE USING THE SAME PASSWORD FOR YOUR MEGA ACCOUNT AS FOR OTHER SERVICES, AND THAT AT LEAST ONE OF THESE OTHER SERVICES HAS SUFFERED A DATA BREACH.

While MEGA remains secure, many big players have suffered a data breach (e.g. yahoo.com, dropbox.com, linkedin.com, adobe.com, myspace.com, tumblr.com, last.fm, snapchat.com, ashleymadison.com - check haveibeenpwned.com/PwnedWebsites for details), exposing millions of users who have used the same password on multiple services to credential stuffers (https://en.wikipedia.org/wiki/...). Your password leaked and is now being used by bad actors to log into your accounts, including, but not limited to, your MEGA account.

To unlock your MEGA account, please follow the link below. You will be required to change your account password - please use a strong password that you have not used anywhere else. We also recommend you change the passwords you have used on other services to strong, unique passwords. Do not ever reuse a password.

Verify my email
Didn’t work? Copy the link below into your web browser:

https://mega.nz//...

To prevent this from happening in the future, use a strong and unique password. Please also make sure you do not lose your password, otherwise you will lose access to your data; MEGA strongly recommends the use of a password manager. For more info on best security practices see: https://mega.nz/security

Best regards,

— Team MEGA

Mega Limited 2020."

Who in their right mind is going to believe something like that that's worded so poorly.

Can anybody shed some light on this latest bit of MEGA's fuckery?

Thank you very much.

Comments
  • 9
    They just hooked up to the haveyoubeenpwned api and ran your hashed password through it.

    Easiest way to confirm is go log into your mega account and find out.
  • 1
    Also: I wouldn't be surprised if they have finally hooked up to the api, considering Mega already had a data breach in the past.

    https://troyhunt.com/the-773-millio...
  • 0
    They're off my Lee Radzwill Holiday Lunch party for the foreseeable future (the entire meal is half a slice of cherry tomato, one pfiece of iceberg lettuce and an airplane bottle of Smirnoff.
  • 0
    @C0D4 So it seems they are using no salt then. Or creating a second unsalted hash which is used with the API.
Add Comment