SEGA Narrowly Avoids Massive Data Breach on Their EU Servers

SEGA’s Cloud Security Almost Wasn’t

It seems like SEGA had a bit of an oopsie-doopsie waiting to happen. Luckily for us, that event never came to pass. Their supposedly-secure information was stored in a publicly-accessible Amazon Web Services bucket. Not intentionally, mind you, but it still happened. With a few unseen lapses in SEGA’s cloud security, all that information could have been exposed. Technical details here – this is just the plainspeak version.

Sonic Forces main screen 1280x

Impacted domains included the landing pages for several franchises published by SEGA. Those being Sonic the Hedgehog, Total War, and Beyonetta. And as if that wasn’t bad enough, the vulnerability affected SEGA’s official website too. The security gap was discovered and breached by a team of researchers before any malicious actors could venture in.

On top of that, an improperly-stored Mailchimp API key could have given hackers access to a ton of email lists, linked IP addresses, and passwords.

As of yet, there’s no evidence that outside hackers tampered with this data. So, breathe easy. Imagine the kind of damage that could have been done if official-looking sources suddenly became hostile to users. With the brand recognition of Sonic the Hedgehog, coupled with its younger userbase, things could have gotten out of hand fast. And even if you never visit those websites very often, the email breach could have sent malicious actors straight to you. Luckily, companies hire white hat hackers for a reason, and they’re good at what they do.

Apparently, vulnerabilities of this sort are shockingly common. Groups like Sennheiser and even the government of Ghana had to solve this very same problem. While the impact could has been massive, the repair efforts can follow a well-worn path. Patches have since been deployed on SEGA’s end. You won’t have to worry about this vulnerability causing grief any time soon.