A European Sega server was unprotected and freely accessible

Sega did its job very poorly on one of the European servers, so much so that it was not protected. The security firm VPN Overview explains everything that was possible to do.

The bad handling of Sega with a server

Sega’s European server that was misconfigured was located at Amazon Web Services (AWS). It contained sensitive information that allowed security researchers to upload files to a large number of domains owned by Sega, as well as credentials that allowed a list of 250,000 users to be abused.

Areas affected included the home pages of major franchises, including Sonic, Bayonetta, and Total War, as well as the Sega.com site itself. VPN Overview was able to run executable scripts on these sites, which would have been quite serious if this breach had been discovered by malicious actors rather than researchers.

An improperly stored Mailchimp API key provided access to the email list. The emails were available in the clear, along with the associated IP addresses and passwords, which the researchers were able to decipher (although they were hashed). A malicious user could very easily and efficiently have distributed ransomware using Sega’s compromised email and cloud services.

A priori, no malicious person has discovered Sega’s poorly configured European server. So much the better, we will say. Fortunately, the necessary steps have since been taken to secure access to the server.