Sega Europe Ltd. is the latest company to be found to be exposing data via a misconfigured Amazon Web Services Inc. S3 bucket.

Detailed Dec. 30 by security researcher Aaron Phillips, the exposed bucket contained multiple sets of AWS keys which could have been used to access many of Sega Europe’s cloud services. MailChimp and Steam keys were also found along with compromised SNS notification queues that ran scripts and uploaded files on domains owned by the company.

The exposed bucket was initially discovered on Oct. 18, with Sega Europe being informed the same day. The company failed to respond to the first notification, only doing so after a follow-up notification sent on Oct. 28. The company subsequently secured the bucket through its cybersecurity team and with the assistance of external security researchers.

Although there’s no proof that a malicious actor may have accessed the bucket, the potential that it could have been accessed is real. Phillips noted that the credentials, keys and passwords could, in theory, be used for malicious purposes, including the theft of company and user data.

Phillips concluded that companies should keep their public and private cloud separated and that storage within a private cloud should be sandboxed with access to S3 buckets segmented.

“Unsecured S3 buckets continue to be one of the biggest issues for organizations that use AWS as an infrastructure hosting platform,” Hank Schless, senior manager of security solutions at endpoint-to-cloud security firm Lookout Inc., told SiliconANGLE today. “It’s difficult to speculate what could have been done with the keys, but over the course of 2021, we saw a number of breaches in the gaming industry that affected big names like Twitch and Electronic Arts.”

Schless noted that in the Twitch and EA cases, everything from proprietary gaming code and data to payment information for streamers was leaked.

“Gaming companies possess a treasure trove of personal data, development information, proprietary code and payment information that is highly valuable to threat actors,” Schless added. “With data privacy laws like CCPA and GDPR, gaming companies need to be sure their data is protected as people from all over the world play their games.”

Photo: IQRemix/Flickr