"Fundamental flaws uncovered in Mega's encryption scheme show service can read your data."

https://it.slashdot.org/story/22/06/21/2234255/mega-says-it-cant-decrypt-your-files-new-poc-exploit-shows-otherwise?utm_source=rss1.0mainlinkanon&utm_medium=feed

oh no!
https://blog.mega.io/mega-security-update/
"Customers who have logged into their MEGA account at least 512 times (the more, the higher the exposure). Note that resuming an existing session does not count as a login. While all MEGA client products use permanent sessions by default, some third-party clients such as Rclone do not, so their users may be exposed."

This is one of the many reasons when a service says it is encrypted, (e.g. OneDrive Private Vault), I still use rclone's crypt!

Reading the blog:

For MEGA, as an end-to-end-encrypted (E2EE) storage provider with high standards, this is a serious matter, whereas for providers not using E2EE, such as Dropbox, OneDrive or Google Drive, a compromised back-end or man-in-the-middle attack is of course always fatal. Their privacy guarantees to users are entirely based on policy .

Makes sense but man does it feel slimy to have both a "we screwed up" and "we're better than the competitor" in the same article. Though, to be fair, they are right.