Sega Europe, found to be exposing data via a misconfigured AWS S3 bucket. The exposed bucket contained multiple sets of AWS keys which could have been used to access many of Sega Europe’s cloud services. MailChimp and Steam keys were also found along with compromised SNS notification queues that were able to run scripts and upload files on domains owned by the company.
The exposed bucket was initially discovered on Oct. 2021, with compqny being informed the same day. The company failed to respond to first notification, only doing so after a follow-up notification sent on Oct. 28. The company subsequently secured the bucket.
Though there is no proof that a malicious actor may have accessed the bucket, the potential that it could have been accessed is real. The credentials, keys and passwords could, in theory, be used for malicious purposes, including the theft of company and user data.
Companies should keep their public and private cloud separated and that storage within a private cloud should be sandboxed with access to S3 buckets segmented.