SEGA Europe’s AWS credentials were publicly available until recently, allowing attackers to spread malware through the company’s gaming websites, among others. The vulnerabilities have been patched.
Researchers at SEGA Europe managed to gain access to, among other things, the Steam developer key, database and forum passwords and the API key of MailChimp. Especially the public access to the credentials for Amazon Web Services could have had a big impact, according to security researcher.
These credentials provided read and write access to SEGA Europe’s AWS S3 buckets. It was possible to upload malware and modify content at nine of the company’s public domains. Downloads.sega.com, cdn.sega.com, and bayonetta.com, among others, were critical vulnerabilities.
With the obtained AWS credentials, the researchers were able to scan SEGA’s online storage environment for further access. The researchers found the first vulnerabilities on October 18. They shared their findings with SEGA Europe, which fixed the latest vulnerabilities in late October.