Click here for a quick summary of the SEGA Europe security breach
SEGA Europe Suffers Major Security Breach: A Brief Summary
SEGA Europe leaked an access key to their Amazon cloud, which VPNOverview recovered. We found multiple vulnerabilities, and gained access to:
- Steam developer key (moderate severity)
- RSA keys (serious severity)
- PII and hashed passwords (serious severity)
- MailChimp API key (critical severity)
- Amazon Web Services credentials (critical severity)
In this article, we explore the access we were able to get. We also take a look at how hackers could have turned SEGA Europe’s cloud services against their fans. Using the key, hackers could have compromised SEGA’s cloud and attacked SEGA fans and employees. We simulated a targeted spear phishing attack using SEGA’s compromised cloud.
We worked with SEGA Europe to close the breach and it is no longer an active risk to SEGA’s users.
VPNOverview’s internet security team discovered a breach affecting SEGA Europe. Specifically, our security team found sensitive files stored in a publicly accessible Amazon Web Services (AWS) S3 bucket. There were lapses in SEGA’s cloud security that could have exposed SEGA’s users and workers to malware, ransomware, and targeted “spear phishing” attacks.
Our team worked with SEGA to close the breach and ensure users can safely access official websites and forums.
We recovered multiple sets of AWS keys and demonstrated it was possible to access many of SEGA Europe’s cloud services. Our security researchers also recovered MailChimp and Steam keys that allowed us to access those services in SEGA’s name.
We were able to run scripts and upload files on domains owned by SEGA Europe. Many popular SEGA websites and CDNs were at risk of spreading malware to users.
SEGA also inadvertently shared personally identifiable information (PII) affecting users of the Football Manager forums at community.sigames.com prior to 2016.
SEGA Europe Cloud Security Breach
We found these breaches in SEGA Europe’s Amazon cloud:
|Steam developer key||Moderate|
|PII and hashed passwords||Serious|
|MailChimp API key||Critical|
|Amazon Web Services credentials||Critical|
These keys, credentials, and passwords could be used for malicious purposes. They granted access to many SEGA cloud services. We turned over all access keys, passwords, and certificates we found. SEGA Europe fixed the breach and restored the security of their cloud.
SEGA Europe domains breached
The AWS keys we discovered allowed us read and write access to SEGA Europe’s cloud storage. All of the critically affected domains were hosted in AWS S3 buckets.
S3 buckets are used to store data in the cloud. Each bucket is like a folder on a filesystem. It can contain files and subdirectories. Buckets can be used to host websites, store logs, hold data for mobile apps, and more. They are a general-purpose form of cloud storage.
Our security researchers were able to upload files, execute scripts, alter existing web pages and modify the configuration of critically vulnerable SEGA domains. In this image, we demonstrate the ability to run scripts on a SEGA domain:
We’ve listed some of the affected domains and included their Moz.com domain authority score below:
|SEGA Domains||Moz Domain Authority||Severity|
26 public-facing domains controlled by SEGA Europe were affected. An attacker would have been able to upload files and modify content on domains we consider critically vulnerable. It would have been possible to modify CloudFront distributions affecting the domains we consider seriously vulnerable.
High authority domains affected
Many of the impacted domains have high domain authority scores. Sites with high domain authority appear higher in Google rankings, and they are more likely to be trusted. Users are more likely to interact with websites they trust.
We were able to alter content on careers.sega.co.uk. The website briefly served the page below, before we restored it:
SEGA Europe secured the affected domains based on our findings and it is no longer possible to upload arbitrary files.
Major SEGA CDNs breached
Our security team was also able to upload and replace files on three of SEGA’s production CDNs. A CDN (content delivery network) stores images and software. We demonstrated our access by temporarily uploading harmless files:
Often, third-party websites will link to a company’s CDN for an official version of an image or file. That creates the potential for a large secondary impact. We found 531 domains with links to the affected CDNs:
|CDN||Number of Domains Linked||Severity|
We identified high-authority domains linked to the CDN breach using data from Moz.com. This breach would have enabled a hacker to spread malware on these sites:
|Affected Domains||Moz Domain Authority|
|eveonline.com (third-party site)||80|
|somethingawful.com (third-party site)||74|
|sonicstadium.org (third-party site)||64|
|twcenter.net (third-party site)||61|
In particular, the CDN at downloads.sega.com hosts *.pdf and *.exe files. These could have been used to distribute malware and ransomware. SEGA Europe repaired this breach, so attacks involving their CDNs aren’t possible any longer.
SEGA AWS cloud services compromised
VPNOverview was able to access and change these cloud services belonging to SEGA Europe:
|Service name||Number of affected instances|
|S3 Storage Buckets||147|
|SNS Notification Topics||20|
We used the AWS credentials we recovered to scan SEGA’s cloud. Then we created a complete log of the services we could access. When we finished, we shared our logs with SEGA Europe cybersecurity.
SNS notification queues compromised
We were able to access some of SEGA Europe’s Simple Notification Service (SNS) queues and subscribers. Amazon SNS sends email alerts to members of SEGA’s IT staff. A typical SNS queue might forward server alerts to an administrator.
An attacker using the leaked credentials could craft and send malicious SNS alerts to subscribers. Our team found high-impact SNS queues that could have been targeted:
Additionally, this breach exposed the email addresses of eight SEGA engineers and two internal email relays. Hackers could have targeted them to gain even more access to SEGA Europe’s cloud.
SEGA fixed the breach and their SNS queues are now secure.
Steam API breach
We were able to recover a Steam API key. Our researchers confirmed it was a Steam developer key and used it to access the Steam Partner API:
We confirmed the key we recovered was used in production at SEGA Europe. The API key has been revoked by SEGA.
RSA key breach
Our team discovered two sets of private RSA keys belonging to SEGA Europe. We were unable to use the RSA keys to access SEGA services. The keys were left in the filesystem of server images shared to the cloud. One set of files contained expired keys. SEGA cybersecurity revoked the rest of the keys.
Our security team also discovered a SQL backup file containing PII (personally identifiable information) in the form of email and IP addresses. The database contained MD5 hashed passwords. We were able to look up the hashes to recover passwords.
This breach affected community.sigames.com/forums accounts from prior to 2016. Many of the accounts that were exposed are still active. We were able to match usernames in the database with accounts on the forum. Email and IP addresses of over 250,000 users were leaked:
PII breaches are increasingly common. It’s likely most of the IP addresses are out of date and useless. In this case however, the email addresses would be useful for targeted phishing attacks. Furthermore, the combination of usernames, email addresses, and easily retrievable passwords could pose additional dangers for account takeovers.
MailChimp and messaging service compromised
Our researchers recovered a MailChimp API key that gave us the ability to send mail from [email protected]. To test our access, we sent multiple messages from [email protected] to ourselves. Every email we sent appeared legitimate and used TLS encryption. This screenshot shows an example of one of our emails as it appeared in our inbox:
We were able to alter existing MailChimp templates and create our own. A hacker could use those privileges to create a malicious email based on official SEGA templates. A fraudulent email sent through the MailChimp API would appear to be official.
No additional email addresses were exposed when MailChimp was compromised. SEGA detected our use of their API key and revoked it during our investigation. We had access to their email API for 3 days. We weren’t discovered until after we had created a custom MailChimp campaign and sent a message using it.
SEGA risked sophisticated spear phishing attack
Targeted phishing attacks, known as “spear phishing,” are more complex than traditional phishing attacks. They require lists of users who are primed to accept your message, access to official email accounts, and legitimate domains to host the payload. SEGA Europe inadvertently made all of those things available.
SEGA Europe left users vulnerable to sophisticated spear phishing attacks by exposing multiple sets of credentials and leaking the email addresses of Football Manager forums users. A hacker could have used the data to launch an attack like this one:
Anyone who discovered these vulnerabilities would have been able to craft a malicious email targeted at members of the Football Manager forums at community.sigames.com/forums. A malicious user could have distributed ransomware very effectively using SEGA’s compromised email and cloud services. They could have sent an email like this:
Attackers would have been able to convince users to install malware directly or lead them to other compromised domains:
Attacks like this are difficult for users to defend themselves against, because all the domains involved in the attack are legitimate. Phishing prevention software won’t work, as that detects browser redirects and malicious links, which aren’t needed when official SEGA domains can be used.
Vulnerabilities Fixed in SEGA Europe’s AWS Cloud
Our investigation exposed weaknesses in SEGA Europe’s cloud security, which SEGA’s security team fixed efficiently after becoming aware of these weaknesses. Our access to SEGA’s cloud has been removed and all aforementioned breaches have been closed. The cloud services in this article are no longer at risk of being exploited.
Here are some of the factors we think contributed to the breach.
Security Practices Contributed to Impact of SEGA Attack
Some of SEGA Europe’s own cloud security decisions contributed to the attack. The company made a few key mistakes that would have allowed hackers to escalate their access to SEGA’s cloud:
- Not following best practices for cloud storage
- Slow initial response
- Few automated security alerts
The core issue behind this breach was the collection of AWS credentials left in public cloud storage. Amazon has best practice guidelines for cloud storage and IAM roles that could help in preventing similar breaches.
SEGA Europe’s slow initial response was due to an unreturned email that gave us ten days of access to their systems. After that, we notified SEGA developers directly and received a quick response. More and better automated alerts would have given SEGA Europe earlier awareness. However, they were able to spot the new MailChimp campaign we created and revoke our access.
Timeline of Events
This is the timeline of our access to SEGA Europe’s systems:
|Discovery of a public S3 bucket containing invoices belonging to SEGA Amusements Intl.||Oct 18th, 2021|
|Discovery of SQL backup and nginx.img||Oct 18th, 2021|
|We notified [email protected] of the breach||Oct 18th, 2021|
|AWS credentials and RSA keys discovered||Oct 19th, 2021|
|Access gained to AWS s3 Buckets||Oct 19th, 2021|
|www.bayonetta.com was compromised as proof-of-concept||Oct 21st, 2021|
|sgaas-service.img, a database password, and additional AWS credentials discovered||Oct 22-24, 2021|
|Access gained to AWS Cloudfront distributions and EC2 instances||Oct 25-26, 2021|
|Steam Developer key and MailChimp key discovered||Oct 26, 2021|
|Access gained to the email account [email protected]||Oct 27, 2021|
|Second notification to [email protected], and a notification to impacted SEGA Europe developers||Oct 28, 2021|
|SEGA Europe Cybersecurity responded and resolved the breach, fixing all mentioned vulnerabilities||Oct 28, 2021|
SEGA Europe closed the breach ten days after we notified [email protected], and the same day we sent a notification to SEGA developers.
SEGA also made us aware of their Hacker One page. Researchers are advised to submit new reports affecting SEGA Sammy Group there.
The breach of SEGA Europe’s cloud highlights the importance of sandboxing in two ways. First, companies have to keep their public and private cloud separate. SEGA accidentally left private credentials in their public cloud, which caused the breach.
Second, we think storage within a private cloud should be sandboxed. There should not have been a single “bucket” key that unlocked all of SEGA Europe’s cloud storage. Access to S3 buckets should be segmented.
There are no indications that malicious actors actively exploited these vulnerabilities. SEGA’s cyber security team acted quickly once they were made aware of the vulnerabilities.
Our investigation shows how easily a misconfigured Amazon AWS Bucket can jeopardize the digital infrastructure of even the largest corporations. Our findings should serve as a wake-up call for businesses to assess their cloud security practices. We hope other organizations follow SEGA’s lead and close apparent vulnerabilities before they are exploited by cybercriminals.