Sega Saved by White Hat Hackers
VPN Overview has released a report detailing its discovery of numerous issues with SEGA Europe’s cloud security. Had these vulnerabilities been discovered by hackers with bad intentions, it would have been catastrophic.
Researchers from VPN Overview discovered that SEGA Europe was inadvertently storing sensitive company data on a publicly accessible Amazon Web Services (AWS) cloud storage server. Although the server itself contained no customer data, if a hacker were to have got their hands on the stored information, they would have been able to access the data of Football Manager forum users, wreaked havoc on SEGA’s websites, and conducted impossible-to-detect phishing scams.
What data was discovered and how could it have been used?
On the publicly accessible cloud server, the researchers found numerous AWS keys that granted them access to various SEGA Europe cloud services, websites, one of the company’s email marketing accounts, and more.
The compromised information allowed the researchers to access the private user data of hundreds of thousands of Football Manager forum users. Fortunately, however, there are no signs that any malicious third parties accessed this data.
Using the data stored on the cloud server, the researchers were able to upload files, execute scripts, and alter the web pages of the following sites (and others):
- sega.com
- careers.sega.co.uk
- downloads.sega.com
- bayonetta.com
- totalwar.com
- footballmanager.com
- sonicthehedgehog.com
In total, 26 public-facing websites were vulnerable.
The researchers were also able to upload and replace files on three of SEGA’s content delivery networks. Content delivery networks are what companies use to store files (downloads, images, videos, for example) for access by their customers and third-party companies. The following three content delivery networks were at risk:
- downloads.sega.com
- cdn.sega.com
- cdn.sega.co.uk
If it were a hacker who discovered this SEGA security flaw, they could have easily uploaded malware onto these sites, causing unthinkable damage to SEGA’s customers.
The server also contained data that allowed the researchers to access SEGA Europe’s MailChimp account. Through this account, they were able to send emails from donotreply@footballmanager.com, using existing official SEGA templates. It would be impossible for a potential victim to distinguish a phishing email sent from this email address, meaning a hacker could have conducted widespread, highly successful phishing campaigns.
Fortunately for SEGA, VPN Overview disclosed all its findings to it before the release of the report and the company was able to assess and resolve all the vulnerabilities. In the report, VPN Overview clarifies that “There are zero indications that malicious actors actively exploited any vulnerabilities in the case of SEGA. SEGA’s cyber security team acted quickly once they were made aware of the vulnerabilities by the research team.”
To read VPN Overview’s full report, click here.