File Storage Web Site Mega.nz was Hacked but the System’s Design Means No User Data was Compromised

megalogoA hacker group claims to have obtained source code and admin accounts for the file-sharing site Mega.nz, formerly owned by internet entrepreneur Kim Dotcom. The hacker group, known as the Amn3s1a Team, claims they also obtained internal documents from the company’s servers, by exploiting an escalation of privilege vulnerability. Supposedly, the hacker group could access the data stored on the servers.

There is but one problem (for the hackers): all the data is unreadable.

Part of what makes MEGA so special is its end-to-end encryption. Mega utilizes in-browser, symmetric key encryption. All data to be stored in Mega.nz is first encrypted in the users’ computers before being sent across the Internet to the Mega.nz servers. Being encrypted means that the only ones who can read the data are the users who created the encryption keys. The employees of Mega.nz cannot read the (encrypted) data nor can government snoops nor can hackers anywhere in the world.

Mega.nz employees cannot even see so much as the file names, and neither does anyone else who might gain access to the files. Every file or folder anyone uploads has its own key, again generated in part from the encryption key created by the user. You’re the one sharing file keys; Mega couldn’t share your keys even if it wanted to. Mega.nz employees don’t know what you’re storing on the servers, by design.

Since even the file names are invisible to Mega.nz employees, the company cannot even delete files. It has no method of identifying individual files to be deleted.

In fact, there is a method of recovering a forgotten password/encryption key if the user saves a secret key when the account is created. If the user ever loses that recovery key, he or she is locked out forever. There is no method for the Mega.nz employees to recover a lost password/encryption key.

Mega didn’t invent encryption or anything. It’s not the first cloud storage service to use it either. It just happens to be implementing it on a wide scale, and in a particularly savvy fashion. In my opinion, all cloud file-storage services should emulate Mega.nz’s example. This isn’t rocket science, a few other file storage services do the same, including SpiderOak, Tresorit, and perhaps a few others. Why don’t ALL the file storage services do the same? Where do you want to store your files?

Mega.nz offers 50 gigabytes of storage free of charge to anyone who wants it.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s