Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

SEGA Europe left AWS S3 bucket unsecured exposing data and infrastructure to attack

SEGA Europe inadvertently left users’ personal information publicly accessible on Amazon Web Services (AWS) S3 bucket. SEGA Europe inadvertently left users’ personal information publicly accessible on Amazon Web Services (AWS) S3 bucket.  At the end of the year, gaming giant SEGA Europe inadvertently left users’ personal information publicly accessible on Amazon Web Services (AWS) S3 bucket, cybersecurity firm VPN […]

sega vulnerabilities-hack-infographic-updated 2

SEGA Europe inadvertently left users’ personal information publicly accessible on Amazon Web Services (AWS) S3 bucket. SEGA Europe inadvertently left users’ personal information publicly accessible on Amazon Web Services (AWS) S3 bucket. 

At the end of the year, gaming giant SEGA Europe inadvertently left users’ personal information publicly accessible on Amazon Web Services (AWS) S3 bucket, cybersecurity firm VPN Overview reported.

The unsecured S3 bucket contained multiple sets of AWS keys that could have allowed threat actors to access many of SEGA Europe’s cloud services along with MailChimp and Steam keys that allowed access to those services. in SEGA’s name.

“Researchers found compromised SNS notification queues and were able to run scripts and upload files on domains owned by SEGA Europe. Several popular SEGA websites and CDNs were affected.” reads the report published by VPN Overview.

sega vulnerabilities-hack-infographic-updated 2

The unsecured S3 bucket could potentially also grant access to user data, including information on hundreds of thousands of users of the Football Manager forums at community.sigames.com.

Below is the list of bugs in SEGA Europe’s Amazon cloud reported by the company:

FINDINGSEVERITY
Steam developer keyModerate
RSA keysSerious
PII and hashed passwordsSerious
MailChimp API keyCritical
Amazon Web Services credentialsCritical

The security firm states that there are no indications malicious third parties accessed the sensitive data or exploited any of the mentioned vulnerabilities prior to them.

The researchers reported that they were able to upload files, execute scripts, alter existing web pages and modify the configuration of critically vulnerable SEGA domains.

The list of affected domains includes downloads.sega.com, cdn.sega.com, careers.sega.co.uk, sega.com, and bayonetta.com. Many of the impacted domains have high domain authority scores.

The compromise of some of the company domain would have allowed attackers to distribute malware via SEGA’s infrastructure.

“In particular, the CDN at downloads.sega.com hosts *.pdf and *.exe files. Malicious parties would potentially use CDNs to distribute malware and ransomware. SEGA Europe made sure attacks involving their CDNs aren’t possible any longer.” continues the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, S3 bucket)

[adrotate banner=”5″]

[adrotate banner=”13″]