Game developer Sega escapes a major data breach after discovering a poorly configured AWS S3 bucket.
Game developer Sega unintentionally illustrates once again the danger of cloud misconfigurations. Security firm VPN Overview discovered a poorly stored API key for Mailchimp. This allowed the company to access an AWS S3 bucket belonging to Sega Europe. In it, researchers found a wealth of information, including 250,000 e-mail addresses and a database of encrypted passwords, several of which they were nevertheless able to unlock.
Abuse potential
VPNO had access to data from domains for popular games and Sega.com itself. Moreover, the specialists were able to run scripts on the affected sites and could get to work on Sega’s mail service. Such access can be pernicious in bad hands. For example, a hacker could set up very targeted phishing campaigns.
VPNO warned Sega about the misconfiguration and the problem has since been fixed. There is no reason to believe that rogue individuals could have exploited the misconfiguration.
The shortcoming shows how important proper configuration of cloud services is. A small mistake can have far-reaching consequences and open the door to hackers, without a leak or bug.