Sega left one of its European servers open
What could have been a devastating breach in one of Sega's servers seems to have been shut down, according to a report by security company VPN Overview. The disordered bucket of Amazon Web Services S3 contained sensitive information that allowed researchers to randomly upload files to a large swath of Sega domains, as well as credentials for email list abuse 250,000 users.
Areas affected included official landing pages for major rights, including Sonic the Hedgehog, Bayonetta and Total War, as well as the Sega.com site itself. VPNO was able to run executable scripts on those sites which, as you might expect, would have been very bad if this breach had been detected by malicious actors instead of researchers.
Improperly stored Mailchimp API key allowed VPNO to access the specified email list. The emails themselves were available in plaintext along with associated IP addresses, and passwords that the researchers could not decode. According to the report, "a malicious user could have effectively distributed ransomware using SEGA's email and related cloud services."
So far there is no indication that bad players exploited this vulnerability before VPNO discovered it and helped Sega repair it. Sega Europe was not available for reference.
Unfortunately, malformed S3 buckets are a very common problem in information security. Similar errors this year have affected the audio company Sennheiser, Chief Adviser, PeopleGIS, and the Ghanaian government. Sega was the target of a major attack in 2011 that resulted in the destruction of personally identifiable information relating to 1.3 million users. Fortunately, this unplanned European server did not experience a similar incident.
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include related links. If you buy something through one of these links, we may earn an affiliate commission.