During a cloud-security assessment, SEGA Europe discovered that critical data was being kept in an unsecured Amazon Web Services (AWS) S3 bucket, and it's sharing the story to encourage other companies to double-check their own systems. VPN Overview researcher Aaron Phillips collaborated with SEGA Europe to protect the leaked data. SEGA's revelation, according to Phillips, is designed to assist the broader cybersecurity community in improving their own defenses.
The unsecured S3 bucket may be used to access user data, including information on thousands of members of the Football Manager forums at community.sigames.com. The following are the issues that have been detected in SEGA Europe's Amazon cloud:
- Developer key for Steam
- RSA keys are a type of cryptography.
- PII and passwords that have been hashed
- API key for MailChimp
- Credentials for Amazon Web Services
Sensitive data in hands of a malicious actor could be disastrous for any company, but as Lookout's Hank Schless explained to Threatpost, gaming companies continue to be of particular interest to attackers. To threat actors, gaming firms hold a gold mine of personal data, development information, proprietary code, and payment information. Gaming firms must ensure that their data is protected while consumers from all over the world play their games, thanks to data privacy rules like the CCPA and GDPR.
Indeed, well-known brands like Steam, Among Us, Riot Games, and others have been hacked and utilized to deceive innocent gamers. There is no evidence that malevolent third parties had previously accessed sensitive data or exploited any of the disclosed vulnerabilities, according to the security firm. Researchers were able to upload files, run scripts, edit existing web pages, and change the settings of critically susceptible SEGA domains, according to the researchers. Downloads.sega.com, cdn.sega.com, careers.sega.co.uk, sega.com, and bayonetta.com are among the affected sites. The domain authority scores of several of the afflicted domains are high.
This cybersecurity research should serve as a wake-up call for enterprises to evaluate their cloud security procedures. The researchers are hoping that more companies follow SEGA's lead in researching and addressing known vulnerabilities before fraudsters use them. There is no evidence that malevolent third parties had previously accessed sensitive data or exploited any of the disclosed vulnerabilities, according to the security firm.