Sega has left one of its European servers wide open

What could have been a malicious breach on one of Sega’s servers appears to have been closed, according to a report from security firm VPN Overview. The misconfigured Amazon Web Services S3 bucket contained sensitive information that allowed researchers to randomly upload files to numerous domains owned by Sega, as well as credentials to exploit an email list of 250,000 users.

Affected domains include the official landing pages for major franchises, including Sonic the Hedgehog, Bayonetta, and Total War, as well as the site itself. VPNO was able to run executable scripts on these sites, which, as you can imagine, would have been pretty bad if this breach had been discovered by malicious actors rather than researchers.

An incorrectly stored Mailchimp API key gave VPNO access to the aforementioned email list. The emails themselves were available in plain text alongside their associated IP addresses and passwords for the researchers to un-hash. According to the report, “a malicious user could very effectively proliferate ransomware using SEGA’s compromised email and cloud services.”

So far, there is no evidence that attackers took advantage of this vulnerability before VPNO discovered Sega and helped fix it. Sega Europe could not be reached for comment.

Misconfigured S3 buckets are unfortunately a common problem in information security. Similar mistakes have impacted audio company Sennheiser, Senior Advisor, PeopleGIS and the Government of Ghana this year. Sega was the target of a major attack in 2011 that led to the exfiltration of personally identifiable information from 1.3 million users. Fortunately, this misconfigured European server did not lead to a similar incident.

All products recommended by Engadget have been selected by our editorial team, independent of our parent company. Some of our stories contain affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

Stay tuned for more such real estate news and updates at

Leave a Comment