According to cybersecurity company VPN Overview, gaming giant SEGA Europe mistakenly left customers’ personal information publicly accessible on the Amazon Web Services (AWS) S3 bucket towards the end of the year.
Multiple sets of AWS keys, as well as MailChimp and Steam keys, were found in the insecure S3 bucket, which might have allowed threat actors to access numerous of SEGA Europe’s cloud services under SEGA’s identity.
“Researchers found compromised SNS notification queues and were able to run scripts and upload files on domains owned by SEGA Europe. Several popular SEGA websites and CDNs were affected.” as per the report issued by VPN Overview.
User data, including information on thousands of members of the Football Manager forums at community.sigames.com, may be accessed via the unprotected S3 bucket. These are the problems discovered in SEGA Europe’s Amazon cloud:
- Steam developer key
- RSA keys
- PII and hashed passwords
- MailChimp API key
- Amazon Web Services credentials
As per the security company, there is no evidence that malicious third parties have previously accessed the sensitive data or exploited any of the listed vulnerabilities. Researchers revealed that they were able to upload files, run scripts, edit existing web pages, and change the settings of severely susceptible SEGA domains.
The impacted domains include careers.sega.co.uk, cdn.sega.com, bayonetta.com, sega.com, and downloads.sega.com. The domain authority scores of several afflicted domains are high. The hacking of several of the company’s domains would have allowed attackers to use SEGA’s infrastructure to spread malware.