What could have been a malicious breach of one of Sega’s servers appears to have been shut down, according to a report by security firm VPN Overview. The incorrectly configured Amazon Web Services S3 bucket contained sensitive information that allowed researchers to arbitrarily upload files to a large selection of Sega-owned domains, as well as credentials to misuse an email list of 250,000 users.
The affected domains included the official landing pages of major franchise companies, including Sonic the Hedgehog, Bayonetta and Total War, as well as the Sega.com site itself. VPNO was able to run executable scripts on these sites, which, as you can imagine, would have been pretty bad if this breach had been discovered by malicious actors instead of researchers.
An incorrectly stored Mailchimp API key gave VPNO access to the aforementioned email list. The e-mails themselves were available in plain text along with associated IP addresses and passwords that the researchers were able to remove hash. According to the report, “a malicious user could have distributed ransomware very efficiently using SEGA’s compromised email and cloud services.”
So far, there is no indication that bad actors made use of this vulnerability before VPNO discovered and helped Sega fix it. Sega Europe was not available for comment.
Incorrectly configured S3 buckets are unfortunately an extremely common problem in information security. Similar failures this year have affected the audio company Sennheiser, Senior Advisor, PeopleGIS and the Ghanaian government. Sega was the target of a major attack in 2011, which led to the release of personally identifiable information concerning 1.3 million users. Fortunately, this incorrectly configured European server did not result in a similar event.
All products recommended by The Hamden Journal are selected by our editorial staff, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we can earn an affiliate commission.