Remember Mega, the encrypted cloud storage company? No? Well, maybe you remember its predecessor, Megaupload, the file hosting provider that was accused of acting as a haven for web pirates during the mid-2000s and was subsequently shuttered by authorities. Prior to its shutdown, Megaupload was thought of as the premiere site for people who wanted to flout intellectual property law, until the feds took it down in a spasm of regulatory vengeance. It was the site you might have ended up on a few clicks after Googling “Breaking Bad full episodes.”
In 2013, after Megaupload bit the dust, original founder Kim Dotcom (whose real name is Kim Schmitz) and fellow former executives, Bram van der Kolk, Mathias Ortmann, and Finn Batato, created a new company from the ashes of the old one, launching “Mega.” Dotcom eventually bowed out of the venture, but Mega has soldiered on for the majority of the past decade, promising users that it was a safe and cheap way to store and secure their files.
But this week has been pretty rough for Mega. Not only have van der Kolk and Ortmann pled guilty to crimes related to its predecessor site, provoking rage from Dotcom, but researchers uncovered evidence that the company’s infrastructure has security flaws that could allow for the decryption of user data. Mega has long promised its users that their data is protected by end-to-end encryption—which means its supposed to be hidden from everybody except the user. But that’s just not the case, as the company admitted in a blog post about patching the vulnerability.
Dotcom, who was similarly charged but maintains his innocence, wrote of his former business partners, “Mathias Ortmann and Bram Van der Kolk have stolen Mega from me to benefit a convicted Chinese criminal... Some shady guys who just made a deal with the US and NZ govt to get out of the US extradition case by falsely accusing me. Delete your Mega account. It’s not safe.”
Two Megaupload Founders Plead Guilty
The legal case against Bram van der Kolk, Mega’s chief system architect, and Mathias Ortmann, listed as its co-founder, stems from their time with Megaupload—a platform authorities allege was used to facilitate the large-scale, illegal distribution of copyrighted material. After the company’s implosion in 2012, van der Kolk, Ortmann, Dotcom, and Batato immediately became embroiled in legal troubles over their alleged roles in the site’s shadier activities. Authorities in the U.S. and New Zealand (where they were arrested) accused the defunct website of being a piracy hub, and the site’s operators of being well aware of their product’s use. For the past decade, all four have been part of an ongoing court case and have faced the threat of extradition to the U.S., where federal officials have expressed a desire to charge them in an American court.
Extradition proceedings were dropped against Batato last year, and he died of cancer earlier this month. Ortman and van der Kolk, meanwhile, pled guilty to the charges against them in New Zealand on Tuesday in a bid to avoid being extradited. Both men pled guilty to having been part of an “organized criminal group” that illicitly profited off of copyrighted material. They each face up to 10 years in prison. Dotcom, meanwhile, has maintained his innocence, and it is unclear if he will face extradition to the U.S.
In an interview with Stuff, van der Kolk said he was looking ahead to future work he could accomplish at Mega: “We’ve worked incredibly hard on Mega and we strongly feel that our rehabilitation process has started a long time ago. We are very proud of what we have built and we are very much looking forward to being able to continue to build, because we still have a lot of work to do.”
When reached for comment on Wednesday, a Mega spokesperson noted that this particular court case had been ongoing for a long, long time:
The charges against Mathias Ortmann and Bram van der Kolk relate to activities 10-20 years ago, when the internet was in its early stages of development. Similar actions were taken by many other companies, including Youtube and Rapidshare, but without the same draconian criminal charges being placed.
Dotcom, meanwhile, has not been involved in Mega for several years. We reached out to Dotcom for comment and will update this story if he responds.
Researchers Say Decryption is Possible
On top of the legal news, Mega also suffered something of a reputation hit this week with the disclosure of new security issues. For a long time, the company has claimed that it secures user data with end-to-end encryption. In a blog post, the company writes: “As long as you ensure that your password is sufficiently strong and unique, no one will ever be able to access your data on MEGA. Even in the exceptionally improbable event MEGA’s entire infrastructure is seized!”
But there is a problem with these promises, say University of Zurich researchers, who published a study on the company earlier this week. In fact, there are a number of situations in which user data can be decrypted.
Researchers say that Mega’s encryption can be broken by somebody with access to the company’s backend infrastructure. In other words, the company itself—or someone with access to its internal tools—has the ability to decrypt user data in certain circumstances. Researchers said the cryptography Mega uses to secure data has a number of fundamental problems, which allows for the decryption of data. To check out the full scope of these security issues, you can head to the researchers’ website.
On Tuesday, Mega ultimately admitted that the security issues were a thing and published a statement acknowledging that a security update had been issued to fix a related vulnerability:
“Today, MEGA has released software updates that fix a critical vulnerability reported by researchers at one of Europe’s leading universities, ETH Zurich, Switzerland. Further updates addressing less severe identified issues will follow in the near future. MEGA is not aware of any user accounts being compromised by these vulnerabilities.”
When reached for comment by Gizmodo, the company further sought to downplay the severity of the security risks. A majority of the security issues have been patched already and others will be “ fixed by client updates over the coming days,” a spokesperson said. He added:
Please note that the most significant finding required a client to log in more than 512 times, while being observed by the malicious attacker. That number of logins was only exceeded by a tiny percentage of our 250 million registered users.
While that does seem to narrow the field of potentially affected users, it’s still not a great look for a company that has promised to keep your data hidden.