SEGA, the Japanese game company, has been around for more than just a few decades.
What started as a business that provided coin-operated amusement machines, including slot machines, to military bases during the World War II in the 1940s, SEGA then entered the game console market in the 1990s.
And when the internet comes to play, the company may be shy from having a huge presence through the internet. But it does operate databases to store sensitive files of its own.
This time, SEGA Europe could have easily fallen victim to a huge data breach as security researchers discovered that the company had left one of its databases opened and insecurely accessible by the public.
Researchers from the security firm VPN Overview found the database that is full of sensitive data, inside a misconfigured Amazon Web Services (AWS) S3 bucket.
According to the firm, the S3 bucket also contained access to a host of domains controlled by the company, as well as access to a number of SEGA properties, including Sonic the Hedgehog, Bayonetta, Football Manager and Total War as well as SEGA's official website at Sega.com.
Making things worse, the team at VPN Overview was also able to obtain multiple sets of AWS keys that gave them complete privilege to read and write anything to SEGA Europe's cloud storage.
In other words, VPN Overview's researchers were able to upload files, execute scripts, alter existing web pages and even modify the configuration of critically vulnerable SEGA domains.
The team tested this by uploading and replacing files on three of SEGA's content delivery networks (CDNs), and ran test scripts on 26 SEGA-owned public-facing domains. During this attempt, the team found 531 additional domains that were linked to SEGA Europe's affected CDNs.
According to the report, "malicious parties would potentially use CDNs to distribute malware and ransomware."
During its investigation, VPN Overview's security team also found an API that could be used to access SEGA's email marketing software MailChimp, that gave it the team the ability to send emails from the address [email protected].
The team then sent multiple messages to test its access and every email it sent appeared legitimate and also used TLS encryption.
What this means, all of the emails sent out to Football Manager users appeared legitimate and would be able to bypass email security checks.
From here, the researchers were also able to alter existing MailChimp templates and even create their own.
With so many things the researchers could do, and seeing so many personal information and important internal data stored remotely in the misconfigured cloud storage, the team quickly contacted SEGA to inform about the issue.
VPN Overview responsibly disclosed its findings to SEGA.
Amazon provides its AWS services to anyone who wishes to use it. But the thing about managing cloud storage is that, it's up to the user to secure the database within.
Amazon does this because it's giving its AWS users the freedom to customize their needs.
While this allows users to control their database, misconfigured S3 buckets are, unfortunately, an extremely common problem in information security.
Fortunately, SEGA was lucky because it was a security company that identified the issues rather than a malicious actor.
The team at SEGA responded by securing the database and reconfigure its access.
When it was discovered, there is no evidence that the security hole was exploited, and VPN Overview assured its readers that its team had "worked with SEGA to close the breach and ensure users can safely access official websites and forums."
Previously, Sega was the target of a major attack in 2011 which led to the exfiltration of personally identifiable information pertaining to its 1.3 million users.