According to a study by security firm VPN Overview, a potentially serious vulnerability in one of Sega’s servers appears to have been resolved. The misconfigured Amazon Web Services S3 bucket held sensitive data that allowed researchers to upload files to a large number of Sega-owned domains at will, as well as credentials to abuse a 250,000-user email list. To solve the problem, Sonic House collaborated with security researcher Aaron Phillips from VPN Overview.
The official landing pages for popular franchises such as Sonic the Hedgehog, Bayonetta, and Total War, as well as the Sega.com site itself, were all affected. VPNO was able to run executable scripts on these sites, which, as you can imagine, would have been disastrous if malevolent actors had found the weakness instead of researchers. VPNO gained access to the aforementioned email list thanks to an incorrectly saved Mailchimp API key.
The emails were in plaintext, along with related IP addresses and passwords that the researchers were able to decrypt. Worse, Sega kept user information and credentials on this server, potentially affecting hundreds of thousands of people. Thankfully, the situation was swiftly resolved, and no indication of a breach was discovered. A criminal actor might have utilised the compromised server to transmit ransomware, according to VPN overviews. Because many third-party sites link to Sega servers for official versions of an image or a file, it also established an epicentre for a larger second attack.
“A malicious person might have propagated ransomware very successfully using SEGA’s compromised email and cloud services,” according to the research. So yet, there’s no evidence that bad actors exploited this flaw before VPNO detected it and assisted Sega in fixing it. Sega Europe did not respond to requests for comment.
Unfortunately, misconfigured S3 buckets are a very widespread concern in information security. Sennheiser, Senior Advisor, PeopleGIS, and the Ghanaian government have all been affected by similar blunders this year. In 2011, Sega was the victim of a massive cyberattack that resulted in the theft of personally identifiable information from 1.3 million users. Fortunately, this malfunctioning European server did not cause a similar problem.
“Businesses must keep their public and private clouds separate,” Phillips added. “Companies frequently leave private credentials in their public cloud by inadvertently, resulting in breaches,” he continued. He also suggested that private cloud storage be sandboxed and that access to it be divided. “Businesses should use this cybersecurity study as a wake-up call to evaluate their cloud security strategies. We hope that more companies follow SEGA’s lead and examine and close known vulnerabilities before they are abused by hackers “Phillips remarked.
