Sega Europe could have easily fallen victim to a data breach (opens in new tab) as security researchers recently discovered that the company had left sensitive files stored insecurely on a publicly accessible database (opens in new tab).
Researchers at the security firm VPN Overview found the files in question stored on a misconfigured Amazon Web Services (AWS (opens in new tab)) S3 bucket. They were also able to obtain multiple sets of AWS keys that gave them read and write access to Sega Europe's cloud storage (opens in new tab).
In addition to sensitive files, the misconfigured S3 bucket contained was also used to host websites (opens in new tab) for a number of popular Sega properties including Sonic the Hedgehog, Bayonetta, Football Manager and Total War as well as Sega's official site. In total, 26 public-facing domains (opens in new tab) controlled by Sega Europe were affected.
VPN Overview's researchers were able to upload files, execute scripts, alter existing web pages and modify the configuration of critically vulnerable Sega domains according to a new report (opens in new tab).
Compromised email and cloud services
During its investigation, VPN Overview's security team recovered an API to the email marketing software (opens in new tab) MailChimp that gave it the ability to send emails from the address firstname.lastname@example.org.
The team then sent multiple messages to test its access and every email it sent appeared legitimate and also used TLS encryption. From here, the researchers were able to alter existing MailChimp (opens in new tab) templates and even create their own. As all of the emails sent out to Football Manager users appeared legitimate and would be able to bypass email security checks, a malicious attacker could have used this access to launch phishing campaigns (opens in new tab).
VPN Overview was also able to upload and replace files on three of Sega's content delivery networks (CDNs (opens in new tab)). As third-party websites often link to a company's CDN for an official version of an image or file, 531 additional domains were linked to Sega Europe's affected CDNs. As a result, an attacker could have abused the company's CDNs to distribute malware (opens in new tab) and ransomware (opens in new tab) to unsuspecting users.
After discovering Sega Europe's misconfigured S3 bucket, VPN Overview responsibly disclosed its findings to the company which then secured the database and all of its affected cloud services and software.