3

Sega Europe exposes data via misconfigured AWS S3 bucket

 2 years ago
source link: https://siliconangle.com/2022/01/04/sega-europe-exposes-data-via-misconfigured-aws-s3-bucket/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Sega Europe exposes data via misconfigured AWS S3 bucket

17878476980_718706f6fe_c.jpg
SECURITY

Sega Europe Ltd. is the latest company to be found to be exposing data via a misconfigured Amazon Web Services Inc. S3 bucket.

Detailed Dec. 30 by security researcher Aaron Phillips, the exposed bucket contained multiple sets of AWS keys which could have been used to access many of Sega Europe’s cloud services. MailChimp and Steam keys were also found along with compromised SNS notification queues that ran scripts and uploaded files on domains owned by the company.

The exposed bucket was initially discovered on Oct. 18, with Sega Europe being informed the same day. The company failed to respond to the first notification, only doing so after a follow-up notification sent on Oct. 28. The company subsequently secured the bucket through its cybersecurity team and with the assistance of external security researchers.

Although there’s no proof that a malicious actor may have accessed the bucket, the potential that it could have been accessed is real. Phillips noted that the credentials, keys and passwords could, in theory, be used for malicious purposes, including the theft of company and user data.

Phillips concluded that companies should keep their public and private cloud separated and that storage within a private cloud should be sandboxed with access to S3 buckets segmented.

“Unsecured S3 buckets continue to be one of the biggest issues for organizations that use AWS as an infrastructure hosting platform,” Hank Schless, senior manager of security solutions at endpoint-to-cloud security firm Lookout Inc., told SiliconANGLE today. “It’s difficult to speculate what could have been done with the keys, but over the course of 2021, we saw a number of breaches in the gaming industry that affected big names like Twitch and Electronic Arts.”

Schless noted that in the Twitch and EA cases, everything from proprietary gaming code and data to payment information for streamers was leaked.

“Gaming companies possess a treasure trove of personal data, development information, proprietary code and payment information that is highly valuable to threat actors,” Schless added. “With data privacy laws like CCPA and GDPR, gaming companies need to be sure their data is protected as people from all over the world play their games.”

Photo: IQRemix/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.


About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK