On Tuesday, a researcher named Steve Thomas, known online as "Sc00bz," found that links included in the confirmation emails sent by Mega during the account registration process actually contain the user's password hash. Thomas released a tool called MegaCracker that can be used to extract the hashes from such links and attempt to crack them using a dictionary attack.
Commenting on the tool's release, the Mega officials said that MegaCracker is "an excellent reminder not to use guessable/dictionary passwords, specifically not if your password also serves as the master encryption key to all files that you store on MEGA."
However, they failed to address the question of why account confirmation links sent via email contain the user's password hash in the first place. The general technique used by other websites is to generate random codes specifically for confirmation links.
In order to prevent potential attackers from obtaining their password hash at a later time, users should probably delete the Mega confirmation email after they click on the included link and set up their accounts.
