SEGA Europe suffers a massive security breach; here’s what we know so far
Thankfully, the vulnerability has been patched — but this should serve as a wake-up call for SEGA and its users.
SEGA Europe suffered a major security breach by exposing an access key to its cloud database. Cybersecurity research company VPNOverview discovered the breach and quickly began surveying the issue. Its investigation revealed that SEGA Europe left a ton of its private resources available via a public cloud server — resources that hackers could have accessed.
VPNOverview first informed SEGA Europe of the breach on Oct. 18 but got no response. After viewing and testing the exposed resources, the company send a second notice to SEGA Europe on Oct. 28. This time, SEGA Europe’s cybersecurity team responded to close the security breach within the day.
So far, there is no record of any bad actor stealing the data exposed in the breach. However, the security hole was open for 10 days while VPNOverview conducted its investigation and was potentially exposed for far longer. In essence, this breach could have had far, far worse results.
All about the SEGA Europe security breach
Like many companies, SEGA Europe stores some of its data in the cloud — Amazon Web Services’ Simple Storage Service (S3), to be specific. VPNOverview discovered sensitive SEGA Europe data on a publicly available S3 instance, making that data exposed to potential malware, phishing, and other security attacks. In total, 26 SEGA-owned domains and their users were at risk because of this breach, including both SEGA corporate websites and sites for specific games, like Bayonetta, Humankind, and Vanquish.
VPNOverview also discovered that personal information leaked from several Football Manager forum users. The researchers uncovered personal information, including emails and IP addresses, from over 250,000 accounts registered prior to 2016. While the IP addresses likely aren’t accurate anymore, the email addresses pose a serious risk of phishing.
Worringly, it seems like most of VPNOverview’s tests on this security breach went undetected by SEGA. SEGA Europe didn’t respond to the company’s outreach when it first discovered the breach; only after being contacted a second time did SEGA take action. Additionally, while SEGA Europe did discover and correct an exposed MailChimp API after VPNOverview gained access to it, no other actions taken during its investigation prompted a remediating response from SEGA.
SEGA’s response to the breach
SEGA Europe hasn’t made a public comment about the breach at this time. After VPNOverview managed to contact the company, SEGA Europe made swift corrections to fix the vulnerability. It is now safe to visit and use SEGA’s sites.
VPNOverview researcher Aaron Phillips commented:
Time after time, investigations show how easily misconfigured Amazon AWS Buckets can jeopardize the digital infrastructure of even the largest corporations. This cybersecurity report should serve as a wake-up call for businesses to assess their cloud security practices. We hope other organizations follow SEGA’s lead by examining and closing apparent vulnerabilities before they are exploited by cybercriminals.
Aaron Phillips, Cybersecurity Researcher for VPNOverview
This is not the first time SEGA has dealt with a security breach. In 2011, SEGA disclosed that hackers had stolen personal information from 1.3 million SEGA Pass customers from its database. No culprit was ever determined, and the SEGA Pass service has since been discontinued.
Is your information at risk?
To quell your immediate fears; SEGA Europe has patched the security breach and the affected sites appear to be safe. Furthermore, there is no evidence that any hacker accessed and downloaded any exposed data. However, erring on the side of caution is always the wisest choice when dealing with online security. We recommend you change any passwords you have for SEGA-affiliated sites, including websites for specific SEGA games.
NOTE: As stated above, the leaked data contained personal information of over 250,000 accounts on the Football Manager forums registered prior to 2016. If you have an account on those forums (especially if you activated it before 2016), CHANGE YOUR PASSWORDS AS SOON AS POSSIBLE.
There’s a lot of lessons to be learned here for both SEGA and its customers. SEGA’s slow response time to VPNOverview’s initial reports and inability to detect most of the investigations indicate a lack of solid reporting and alerting features on SEGA’s end. The company could benefit from putting better tools and practices in place to keep its data safe. For customers, it’s a great reminder to only use strong passwords and investigate other layers of protection like VPNs.
You can see a full list of VPNOverview’s investigation and findings here.