Sponsored Links

Sega left one of its European servers wide open

A malicious attacker could've accessed 250,000 users' personal data.
Sega Corp. logos are reflected in windows near the company headquarters in Tokyo June 20, 2011. Japanese video game developer Sega Corp said on Sunday that information belonging to 1.3 million customers has been stolen from its database, the latest in a rash of global cyber attacks against video game companies. REUTERS/Kim Kyung-Hoon (JAPAN - Tags: CRIME LAW SCI TECH BUSINESS)
Kim Kyung Hoon / reuters
Avery Menegus
Avery Menegus|@averysmallghost|December 30, 2021 11:30 AM

What could have been a damaging breach in one of Sega's servers appears to have been closed, according to a report by security firm VPN Overview. The misconfigured Amazon Web Services S3 bucket contained sensitive information which allowed researchers to arbitrarily upload files to a huge swath of Sega-owned domains, as well credentials to abuse a 250,000-user email list.

The domains impacted included the official landing pages for major franchises, including Sonic the Hedgehog, Bayonetta and Total War, as well as the Sega.com site itself. VPNO was able to run executable scripts on these sites which, as you can imagine, would have been quite bad if this breach had been discovered by malicious actors instead of researchers. 

An improperly stored Mailchimp API key gave VPNO access to the aforementioned email list. The emails themselves were available in plaintext alongside associated IP addresses, and passwords that the researchers were able to un-hash. According to the report, "a malicious user could have distributed ransomware very effectively using SEGA’s compromised email and cloud services."

Turn on browser notifications to receive breaking news alerts from Engadget
You can disable notifications at any time in your settings menu.
Not now

So far there's no indication that bad actors made use of this vulnerability before VPNO discovered and helped Sega to fix it. Sega Europe was not available for comment.

Misconfigured S3 buckets are, unfortunately, an extremely common problem in information security. Similar errors this year have impacted audio company Sennheiser, Senior Advisor, PeopleGIS, and the government of Ghana. Sega was the target of a major attack in 2011 which led to the exfiltration of personally identifiable information pertaining to 1.3 million users. Thankfully, this misconfigured European server didn't result in a similar incident.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission. All prices are correct at the time of publishing.
Sega left one of its European servers wide open