Recently discovered and closed, it appears that the Japanese company could have kept open a vulnerability on its servers that could have led to a harmful breach, exposing the personal data of more than 250,000 users.
According to the report shared by security firm VPN Overview , the misconfigured Amazon Web Services S3 “cube” contained sensitive information that allowed researchers to arbitrarily upload files to a large swath of domains owned by Sega, as well as credentials to abuse an email list of its users, including the affected domains official landing pages of major franchises (including Sonic the Hedgehog, Bayonetta or Total War) as well as the SEGA’s own official site.
And unfortunately, misconfigured S3 containers are an extremely common problem in information security. Similar mistakes this year have affected the Sennheiser audio company, Senior Advisor, PeopleGIS, and even the government of Ghana. In fact, SEGA was the target of a major attack in 2011 that led to the leak of personally identifiable information belonging to 1.3 million users. Fortunately, this misconfigured European server did not result in a similar incident.
An incorrectly stored Mailchimp API key gave VPNO access to the aforementioned email list. The emails themselves were available in plain text along with associated IP addresses and passwords that the researchers were able to remove.
Thus, as stated by security experts, “ a malicious user could have very efficiently distributed ransomware using SEGA’s compromised email and cloud services ‘, Being able to run executable scripts on these sites which, as you can imagine, would have been pretty bad if this breach had been discovered by malicious actors rather than researchers.
Fortunately, so far there has been no indication that this vulnerability was exploited before VPNO discovered it and helped SEGA fix it, but at the moment the company has not shared no official statement.