Sega left one of its European servers wide open
A malicious attacker could've accessed 250,000 users' personal data.
What could have been a damaging breach in one of Sega's servers appears to have been closed, according to a report by security firm VPN Overview. The misconfigured Amazon Web Services S3 bucket contained sensitive information which allowed researchers to arbitrarily upload files to a huge swath of Sega-owned domains, as well credentials to abuse a 250,000-user email list.
The domains impacted included the official landing pages for major franchises, including Sonic the Hedgehog, Bayonetta and Total War, as well as the Sega.com site itself. VPNO was able to run executable scripts on these sites which, as you can imagine, would have been quite bad if this breach had been discovered by malicious actors instead of researchers.
An improperly stored Mailchimp API key gave VPNO access to the aforementioned email list. The emails themselves were available in plaintext alongside associated IP addresses, and passwords that the researchers were able to un-hash. According to the report, "a malicious user could have distributed ransomware very effectively using SEGA’s compromised email and cloud services."
So far there's no indication that bad actors made use of this vulnerability before VPNO discovered and helped Sega to fix it. Sega Europe was not available for comment.
Misconfigured S3 buckets are, unfortunately, an extremely common problem in information security. Similar errors this year have impacted audio company Sennheiser, Senior Advisor, PeopleGIS, and the government of Ghana. Sega was the target of a major attack in 2011 which led to the exfiltration of personally identifiable information pertaining to 1.3 million users. Thankfully, this misconfigured European server didn't result in a similar incident.