What could have been a malicious breach in one of Sega’s servers appears to have been shut down, according to a report from security company VPN Overview. A misconfigured Amazon Web Services S3 container contained sensitive information that allowed researchers to arbitrarily upload files to a wide variety of Sega-owned domains, as well as credentials to abuse an email list of 250,000 users.
Affected domains included the official landing pages of major franchises, including Sonic the Hedgehog, Bayonetta, and Total War, as well as Sega.com itself. VNO was able to run executable scripts on these sites which, as you can imagine, would have been very bad if this breach had been discovered by malicious actors rather than researchers.
An incorrectly stored Mailchimp API key gave VNO access to the above email list. The emails themselves were available in plain text along with IP addresses and passwords that the researchers were able to decipher. According to the report, “a malicious user could have very effectively distributed ransomware using the hacked email and SEGA’s cloud services.”
There is still no indication that bad actors took advantage of this vulnerability before VNO was discovered and Sega helped fix it. Sega Europe was not available for comment.
Misconfigured S3 containers are, unfortunately, a very common information security problem. Similar errors this year affected audio company Sennheiser, its senior advisor, PeopleGIS, and the government of Ghana. Sega was the target of a major attack in 2011 that resulted in the theft of personally identifiable information relating to 1.3 million users. Fortunately, this misconfigured European server did not result in any similar incident.
All products recommended by Engadget are handpicked by our editorial team, independently of the parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.