SEGA Europe’s AWS credentials were publicly available until recently, allowing attackers to spread malware through the company’s gaming websites, among others. The vulnerabilities have been patched.
Researchers at SEGA Europe managed to gain access to, among other things, the Steam developer key, database and forum passwords and the API key of MailChimp. In particular, public access to the credentials for Amazon Web Services could have had a major impact, security researcher Aaron Phillips told VPNGids.
These credentials provided read and write access to SEGA Europe’s AWS S3 buckets. It was possible to upload malware and modify content at nine of the company’s public domains. Downloads.sega.com, cdn.sega.com, and bayonetta.com, among others, were critical vulnerabilities.
With the obtained AWS credentials, the researchers were able to scan SEGA’s online storage environment for further access. The researchers found the first vulnerabilities on October 18. They shared their findings with SEGA Europe, which fixed the latest vulnerabilities in late October.