Sega accidentally published AWS credentials as part of major cloud breach

Sega accidentally published AWS credentials as part of major cloud breach

Click here for a quick summary of the SEGA Europe security breach

SEGA Europe Suffers Major Security Breach: A Brief Summary

SEGA Europe leaked an access key to their Amazon cloud, which VPNOverview recovered. We found multiple vulnerabilities, and gained access to:

  • Steam developer key (moderate severity)
  • RSA keys (serious severity)
  • PII and hashed passwords (serious severity)
  • MailChimp API key (critical severity)
  • Amazon Web Services credentials (critical severity)

In this article, we explore the access we were able to get. We also take a look at how hackers could have turned SEGA Europe’s cloud services against their fans. Using the key, hackers could have compromised SEGA’s cloud and attacked SEGA fans and employees. We simulated a targeted spear phishing attack using SEGA’s compromised cloud.

We worked with SEGA Europe to close the breach and it is no longer an active risk to SEGA’s users.

VPNOverview’s internet security team discovered a breach affecting SEGA Europe. Specifically, our security team found sensitive files stored in a publicly accessible Amazon Web Services (AWS) S3 bucket. There were lapses in SEGA’s cloud security that could have exposed SEGA’s users and workers to malware, ransomware, and targeted “spear phishing” attacks.

Our team worked with SEGA to close the breach and ensure users can safely access official websites and forums.

Infographic showing the security vulnerabilities in SEGA's systems

We recovered multiple sets of AWS keys and demonstrated it was possible to access many of SEGA Europe’s cloud services. Our security researchers also recovered MailChimp and Steam keys that allowed us to access those services in SEGA’s name.

We were able to run scripts and upload files on domains owned by SEGA Europe. Many popular SEGA websites and CDNs were at risk of spreading malware to users.

SEGA also inadvertently shared personally identifiable information (PII) affecting users of the Football Manager forums at prior to 2016.

SEGA Europe Cloud Security Breach

We found these breaches in SEGA Europe’s Amazon cloud:

Finding Severity
Steam developer key Moderate
RSA keys Serious
PII and hashed passwords Serious
MailChimp API key Critical
Amazon Web Services credentials Critical

These keys, credentials, and passwords could be used for malicious purposes. They granted access to many SEGA cloud services. We turned over all access keys, passwords, and certificates we found. SEGA Europe fixed the breach and restored the security of their cloud.

SEGA Europe domains breached

The AWS keys we discovered allowed us read and write access to SEGA Europe’s cloud storage. All of the critically affected domains were hosted in AWS S3 buckets.

S3 buckets are used to store data in the cloud. Each bucket is like a folder on a filesystem. It can contain files and subdirectories. Buckets can be used to host websites, store logs, hold data for mobile apps, and more. They are a general-purpose form of cloud storage.

Our security researchers were able to upload files, execute scripts, alter existing web pages and modify the configuration of critically vulnerable SEGA domains. In this image, we demonstrate the ability to run scripts on a SEGA domain:

Bucket Script window

We’ve listed some of the affected domains and included their domain authority score below:

SEGA Domains Moz Domain Authority Severity 83 Critical 83 Critical 65 Critical 65 Critical 65 Critical 52 Critical 49 Critical 51 Critical 46 Critical 83 Serious 83 Serious 77 Serious 71 Serious 61 Serious 61 Serious

26 public-facing domains controlled by SEGA Europe were affected. An attacker would have been able to upload files and modify content on domains we consider critically vulnerable. It would have been possible to modify CloudFront distributions affecting the domains we consider seriously vulnerable.

High authority domains affected

Many of the impacted domains have high domain authority scores. Sites with high domain authority appear higher in Google rankings, and they are more likely to be trusted. Users are more likely to interact with websites they trust.

We were able to alter content on The website briefly served the page below, before we restored it:

Defaced image on SEGA's page

SEGA Europe secured the affected domains based on our findings and it is no longer possible to upload arbitrary files.

Major SEGA CDNs breached

Our security team was also able to upload and replace files on three of SEGA’s production CDNs. A CDN (content delivery network) stores images and software. We demonstrated our access by temporarily uploading harmless files:

Replaced file on SEGA's CDN

Often, third-party websites will link to a company’s CDN for an official version of an image or file. That creates the potential for a large secondary impact. We found 531 domains with links to the affected CDNs:

CDN Number of Domains Linked Severity 88 Critical 438 Critical 5 Critical

We identified high-authority domains linked to the CDN breach using data from This breach would have enabled a hacker to spread malware on these sites:

Affected Domains Moz Domain Authority (third-party site) 80 (third-party site) 74 65 (third-party site) 64 63 61 (third-party site) 61 57

In particular, the CDN at hosts *.pdf and *.exe files. These could have been used to distribute malware and ransomware. SEGA Europe repaired this breach, so attacks involving their CDNs aren’t possible any longer.

SEGA AWS cloud services compromised

VPNOverview was able to access and change these cloud services belonging to SEGA Europe:

Service name Number of affected instances
S3 Storage Buckets 147
Cloudfront Distributions 24
EC2 Servers 27
SNS Notification Topics 20

We used the AWS credentials we recovered to scan SEGA’s cloud. Then we created a complete log of the services we could access. When we finished, we shared our logs with SEGA Europe cybersecurity.

SNS notification queues compromised

We were able to access some of SEGA Europe’s Simple Notification Service (SNS) queues and subscribers. Amazon SNS sends email alerts to members of SEGA’s IT staff. A typical SNS queue might forward server alerts to an administrator.

An attacker using the leaked credentials could craft and send malicious SNS alerts to subscribers. Our team found high-impact SNS queues that could have been targeted:

Compromised SNS Notification Queues

Additionally, this breach exposed the email addresses of eight SEGA engineers and two internal email relays. Hackers could have targeted them to gain even more access to SEGA Europe’s cloud.

SEGA fixed the breach and their SNS queues are now secure.

Steam API breach

We were able to recover a Steam API key. Our researchers confirmed it was a Steam developer key and used it to access the Steam Partner API:

Recovered Steam Developers Key Sega

We confirmed the key we recovered was used in production at SEGA Europe. The API key has been revoked by SEGA.

RSA key breach

Our team discovered two sets of private RSA keys belonging to SEGA Europe. We were unable to use the RSA keys to access SEGA services. The keys were left in the filesystem of server images shared to the cloud. One set of files contained expired keys. SEGA cybersecurity revoked the rest of the keys.

Our security team also discovered a SQL backup file containing PII (personally identifiable information) in the form of email and IP addresses. The database contained MD5 hashed passwords. We were able to look up the hashes to recover passwords.

This breach affected accounts from prior to 2016. Many of the accounts that were exposed are still active. We were able to match usernames in the database with accounts on the forum. Email and IP addresses of over 250,000 users were leaked:

Blurred Database PII Footballmanager

PII breaches are increasingly common. It’s likely most of the IP addresses are out of date and useless. In this case however, the email addresses would be useful for targeted phishing attacks. Furthermore, the combination of usernames, email addresses, and easily retrievable passwords could pose additional dangers for account takeovers.

MailChimp and messaging service compromised

Our researchers recovered a MailChimp API key that gave us the ability to send mail from [email protected]. To test our access, we sent multiple messages from [email protected] to ourselves. Every email we sent appeared legitimate and used TLS encryption. This screenshot shows an example of one of our emails as it appeared in our inbox:

Sega Email Live Email Key in Gmail

We were able to alter existing MailChimp templates and create our own. A hacker could use those privileges to create a malicious email based on official SEGA templates. A fraudulent email sent through the MailChimp API would appear to be official.

No additional email addresses were exposed when MailChimp was compromised. SEGA detected our use of their API key and revoked it during our investigation. We had access to their email API for 3 days. We weren’t discovered until after we had created a custom MailChimp campaign and sent a message using it.

SEGA risked sophisticated spear phishing attack

Targeted phishing attacks, known as “spear phishing,” are more complex than traditional phishing attacks. They require lists of users who are primed to accept your message, access to official email accounts, and legitimate domains to host the payload. SEGA Europe inadvertently made all of those things available.

SEGA Europe left users vulnerable to sophisticated spear phishing attacks by exposing multiple sets of credentials and leaking the email addresses of Football Manager forums users. A hacker could have used the data to launch an attack like this one:

Infographic showing how SEGA could've been targeted by a spear phishing attack

Anyone who discovered these vulnerabilities would have been able to craft a malicious email targeted at members of the Football Manager forums at A malicious user could have distributed ransomware very effectively using SEGA’s compromised email and cloud services. They could have sent an email like this:

FMFC Email screenshot

Attackers would have been able to convince users to install malware directly or lead them to other compromised domains:

Sign up page for influencers on Football Manager

Attacks like this are difficult for users to defend themselves against, because all the domains involved in the attack are legitimate. Phishing prevention software won’t work, as that detects browser redirects and malicious links, which aren’t needed when official SEGA domains can be used.

Vulnerabilities Fixed in SEGA Europe’s AWS Cloud

Our investigation exposed weaknesses in SEGA Europe’s cloud security, which SEGA’s security team fixed efficiently after becoming aware of these weaknesses. Our access to SEGA’s cloud has been removed and all aforementioned breaches have been closed. The cloud services in this article are no longer at risk of being exploited.

Here are some of the factors we think contributed to the breach.

Security Practices Contributed to Impact of SEGA Attack

Some of SEGA Europe’s own cloud security decisions contributed to the attack. The company made a few key mistakes that would have allowed hackers to escalate their access to SEGA’s cloud:

  • Not following best practices for cloud storage
  • Slow initial response
  • Few automated security alerts

The core issue behind this breach was the collection of AWS credentials left in public cloud storage. Amazon has best practice guidelines for cloud storage and IAM roles that could help in preventing similar breaches.

SEGA Europe’s slow initial response was due to an unreturned email that gave us ten days of access to their systems. After that, we notified SEGA developers directly and received a quick response. More and better automated alerts would have given SEGA Europe earlier awareness. However, they were able to spot the new MailChimp campaign we created and revoke our access.

Timeline of Events

This is the timeline of our access to SEGA Europe’s systems:

Event Date
Discovery of a public S3 bucket containing invoices belonging to SEGA Amusements Intl. Oct 18th, 2021
Discovery of SQL backup and nginx.img Oct 18th, 2021
We notified [email protected] of the breach Oct 18th, 2021
AWS credentials and RSA keys discovered Oct 19th, 2021
Access gained to AWS s3 Buckets Oct 19th, 2021 was compromised as proof-of-concept Oct 21st, 2021
sgaas-service.img, a database password, and additional AWS credentials discovered Oct 22-24, 2021
Access gained to AWS Cloudfront distributions and EC2 instances Oct 25-26, 2021
Steam Developer key and MailChimp key discovered Oct 26, 2021
Access gained to the email account [email protected] Oct 27, 2021
Second notification to [email protected], and a notification to impacted SEGA Europe developers Oct 28, 2021
SEGA Europe Cybersecurity responded and resolved the breach, fixing all mentioned vulnerabilities Oct 28, 2021

SEGA Europe closed the breach ten days after we notified [email protected], and the same day we sent a notification to SEGA developers.

SEGA also made us aware of their Hacker One page. Researchers are advised to submit new reports affecting SEGA Sammy Group there.


The breach of SEGA Europe’s cloud highlights the importance of sandboxing in two ways. First, companies have to keep their public and private cloud separate. SEGA accidentally left private credentials in their public cloud, which caused the breach.

Second, we think storage within a private cloud should be sandboxed. There should not have been a single “bucket” key that unlocked all of SEGA Europe’s cloud storage. Access to S3 buckets should be segmented.

There are no indications that malicious actors actively exploited these vulnerabilities. SEGA’s cyber security team acted quickly once they were made aware of the vulnerabilities.

Our investigation shows how easily a misconfigured Amazon AWS Bucket can jeopardize the digital infrastructure of even the largest corporations. Our findings should serve as a wake-up call for businesses to assess their cloud security practices. We hope other organizations follow SEGA’s lead and close apparent vulnerabilities before they are exploited by cybercriminals.

Join the pack! Join 8000+ others registered users, and get chat, make groups, post updates and make friends around the world!



“Simplicity, patience, compassion.
These three are your greatest treasures.
Simple in actions and thoughts, you return to the source of being.
Patient with both friends and enemies,
you accord with the way things are.
Compassionate toward yourself,
you reconcile all beings in the world.”
― Lao Tzu, Tao Te Ching