SEGA Europe allegedly left users’ personal information publicly accessible on Amazon Web Services (AWS) S3 bucket. However, there are no indications malicious third parties accessed the sensitive data or exploited any of the mentioned vulnerabilities before the security researchers restricting access to the bucket.

According to VPN Overview, the unsecured S3 bucket contained multiple sets of AWS keys that could have allowed threat actors to access many of SEGA Europe’s cloud services along with MailChimp and Steam API keys that allowed access to those services in SEGA’s name. Michael Isbitski, Technical Evangelist at Salt Security, says, “An API key was exposed as part of the S3 bucket leak. SEGA Europe presumably used that API key to authenticate calls to MailChimp services. Presumably, someone could’ve used that to send emails as SEGA Europe through MailChimp, but Sega or MailChimp likely revoked the API key access quickly when the news broke. API keys used as the sole authentication material are a weak form of access control. Attackers regularly harvest API keys by reverse engineering client applications, examining source code or infrastructure-as-code, and analyzing application traffic. Once obtained, an attacker can make a call directly to an API using the API key to obtain access since they’re the equivalent of hardcoded passwords or credentials.”

The S3 bucket could have potentially granted access to user data, such as information on hundreds of thousands of users of the Football Manager Forums at community.sigames.com. Security researcher Aaron Phillips worked with SEGA Europe to secure sensitive files that were inadvertently stored in the S3 bucket. 

Hank Schless, Senior Manager, Security Solutions at Lookout, explains, “Unsecured S3 buckets continue to be one of the biggest issues for organizations that use AWS as an infrastructure hosting platform. Over the last few years, there have been a handful of security breaches due to leaky S3 buckets. As part of the Center for Internet Security (CIS) security configuration benchmarks for AWS, there are a handful of parameters around S3 buckets to give users the guidance necessary for securing these assets. Even with CIS benchmarks, it can be difficult to have visibility into every single S3 bucket across the infrastructure. This is why it’s so important to have a cloud access security broker (CASB) solution that enables its users with cloud security posture management (CSPM). 

Schless adds, “It’s difficult to speculate what could have been done with the keys, but over the course of 2021, we saw a number of breaches in the gaming industry that affected big names like Twitch and Electronic Arts. In those two cases, we saw everything from proprietary gaming code and data to payment information for streamers get leaked. Gaming companies possess a treasure trove of personal data, development information, proprietary code, and payment information that is highly valuable to threat actors. With data privacy laws like CCPA and GDPR, gaming companies need to be sure their data is protected as people from all over the world play their games.”

Cyber asset visibility is a central problem causing these types of issues, says Tyler Shields, CMO at JupiterOne. “The speed at which organizations are moving to the cloud, and building cloud-native technologies, is resulting in rapid growth in security issues from misconfiguration and an absence of asset visibility. Having up-to-date configuration, security, and asset visibility is the foundation of a robust security program.”