Sega Pass Compromised - 1.29 Million Customers Data Leaked

Published: 2011-06-19
Last Updated: 2011-06-19 19:02:22 UTC
by Guy Bruneau (Version: 1)
4 comment(s)

Another gaming company had customer data illegally accessed by hackers who copied e-mail addresses, encrypted passwords and birth dates stored in the Sega Pass database. Sega confirmed that no personal payment information was taken because they use external payment providers. On Friday, they indicated that all user passwords were reset and access was temporarily suspended. As of this writing, the Sega Pass is still unavailable to users with a message stating "We hope to be back up and running very soon."[1]

 Going back to Rob's diary [3] on Incident Response, it looks like Sega was well prepared (Preparation) and did a pretty good job at quickly informing its customers [2] that in incident had occurred, they identified their customer data had been compromised (Identification) and immediately isolated the incident (Containment).

Not sure why at this point so many video game vendors (Nintendo and Sony) have become the prey of hackers. In this case, there was no credit card involved, however, we cannot say the same for potential spam when 1.29 millions email addresses have been stolen; that is a sizable target.

[1] http://www.sega.com/sega-pass/
[2] http://playstationlifestyle.net/2011/06/17/sega-pass-database-hacked/
[3] http://isc.sans.org/diary.html?storyid=10768
 

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Keywords: Compromised Sega
4 comment(s)

Comments

I couldn't find a breach notice prominently displayed on their web site, then I found this link:

http://www.sega.com/sega-pass/
-------
Hi

SEGA Pass is going through some improvements so is currently unavailable for new members to join or existing members to modify their details including resetting passwords.

We hope to be back up and running very soon.

Thank you for your paitence
---------------
I hope the improvements include buying a spellchecker.

Sega is prominently displaying their privacy notice on their home page, though. It includes
----------
"SEGA maintains appropriate safeguards that ensure the security, integrity, and privacy of the personal information we collect and store about you. These safeguards include, among other things, limiting access to such data to those employees performing a legitimate business function; technical security measures, such as encryption or passwords, to prevent unauthorized access; and the storage of data on secure servers or computers inaccessible by modem.
We also have security measures in place to protect the loss, misuse, and alteration of the information under our control (i.e., maintain data quality). Before we allow web users to access their personal information, for example, we verify their identity by requesting that they submit information such as their username and password. We also take reasonable steps to ensure that third parties to whom we transfer personal information provide sufficient protection of such data."
----------
Carnac the Magnificent: "Sega"

The question: "Who is about to get slapped with an FTC consent decree?"
There is a relationship between SONY and SEGA. SEGA publishes a lot of SONY exclusive products. This could be related to the SONY hacks.

Here's what SEGA sent to their users:

"As you may be aware, the SEGA Pass system has been offline since yesterday, Thursday 16 June.

Over the last 24 hours we have identified that unauthorised entry was gained to our SEGA Pass database.

We immediately took the appropriate action to protect our consumers’ data and isolate the location of the breach. We have launched an investigation into the extent of the breach of our public systems.

We have identified that a subset of SEGA Pass members emails addresses, dates of birth and encrypted passwords were obtained. To stress, none of the passwords obtained were stored in plain text.

Please note that no personal payment information was stored by SEGA as we use external payment providers, meaning your payment details were not at risk from this intrusion.

If you use the same login information for other websites and/or services as you do for SEGA Pass, you should change that information immediately.

We have also reset your password and all access to SEGA Pass has been temporarily suspended.

Additionally we recommend you please take extra caution if you should receive suspicious emails that ask for personal or sensitive information.

Therefore please do not attempt to login to SEGA Pass at present, we will communicate when the service becomes available.

We sincerely apologise for this incident and regret any inconvenience caused.

We are contacting all our members with these recommendations.

If you have any further questions please contact SEGA customer support on csescalations@sega.com"
A "leak" it was not. The data did not just happen to "leak" out of their systems through a corroded pipe. It was the digital equivalent of a home invasion robbery. The perp deliberately invaded the system to steal the data.
"Not sure why at this point so many video game vendors (Nintendo and Sony) have become the prey of hackers."

The overlap between the gaming and hacking communities is huge. Both can consume immense amounts of time and be done at near 0 cost from the comfort of ones own home.

Diary Archives