The online exposure of 15,500 usernames and passwords for New Zealand based file storage website Mega.nz has demonstrated a key issue around using passwords, according to Centrify.

After the authenticity of the leaked logins was confirmed, Mega said the credentials breach was likely caused by repeated usage of the same logins across multiple sites, rather than a breach of its own data systems.

“We can’t verify how the credentials were obtained, but we can confirm that it was not from any breach of Mega’s systems, and that many users do use the same password over multiple sites, a number of which have been hacked,” said Mega Chairman Stephen Hall.

This practice, ‘credential stuffing’,  is where attackers reuse login details obtained from other data breaches.

Centrify Senior Director APAC Sales Niall King said the exposure  highlighted the problem of relying on passwords alone for protection. “What minimal protective value passwords offer is often undermined by the poor security habits of too many users,” he said.

“People use easily guessed passwords – Time Magazine reported the most popular password of 2017 was 123456 – and have the dreadful tendency to re-use passwords across multiple websites, which make them vulnerable to credential stuffing, as appears to be the case with these Mega logins.”

King emphasised security alternatives to password-based protection were both affordable and accessible. “The first involves using Multi-Factor Authentication wherever this is available,” he said.

“This might be a code sent to your smartphone or a biometric identifier such as a thumbprint, but it requires a second step to prove your identity,” King said.

If Multi-Factor Authentication is required for your logins, then the exposure of your password does not present any significant risk.”