SEGA Football Manager leak: 250,000 users’ data could be accessed

A SEGA leak has made available the data of about 250,000 forum members associated with Football Manager, according to research. VPNGids.nl. It is unclear how much Dutch user data was available within the leak.

Send mail from the official mail account

Using publicly available keys, cybersecurity researchers at VPNGids.nl were also able to send emails from the official soccer game email account and take over several websites.

SEGA Europe inadvertently allowed third parties to access much of its cloud infrastructure through an improperly configured and insecure Amazon S3 container. SEGA was immediately notified and has since corrected and fixed most of the vulnerabilities.

The VPNGids.nl team managed to:

• Upload files, run scripts, modify existing web pages, and configure dozens of SEGA-owned or affiliated subdomains, such as https://careers.sega.co.uk/ in a http://bayonetta.com/.
• Obtaining and using Steam Developer keys Access personal information, including IP addresses and email addresses, of approximately 250,000 users of SEGA’s Football Manager Forums
• Get the MailChimp API key that allows sending emails from [email protected] email account

The full report can be found here: https://www.vpngids.nl/nieuws/sega-europe-getroffen-door-ernstig-beveiligingslek/

Vulnerabilities of this size allow for highly targeted and sophisticated attacks

Why is this vulnerability potentially influential and dangerous? Access to a mailing list of this size, combined with control of an official SEGA email account and several SEGA websites, allows an attacker to initiate a complex attack that is difficult for users to identify as such.

David Janssen, Cyber ​​Security Analyst at VPNGids.nl explains: “In concrete terms, a criminal could use a SEGA database with 250,000 email addresses to send large-scale email messages from an official SEGA email account. The email encourages users to download an infected file or Clicking a link to an official SEGA website where malicious scripts are executed or malware is installed. Without being aware of it, victims will interact with official SEGA email accounts and official SEGA websites operated by a criminal.”

Since the release of a new version of Football Manager (November 2021), this would be a perfect time for a criminal to connect with fans of the game without arousing suspicion.

Risks from incorrect configuration Amazon buckets

Jansen: “There are currently no indications that user data has fallen into the wrong hands, but this data breach once again shows how vulnerable even the largest organizations can be as a result of cybersecurity errors.”

Misconfigured Amazon containers are notorious for causing major data and security breaches. The SEGA vulnerability illustrates the need for organizations to double-check and patch potential security flaws in cloud storage. Amazon advises on access control best practices on its website.”