Attackers Compromise 1.3 Million Sega Users

 
 
By Fahmida Y. Rashid  |  Posted 2011-06-20
 
 
 

Hackers took down Sega's online gaming service and compromised accounts belonging to 1.3 million customers, the video game company confirmed June 17.

Cyber-attackers launched a denial-of-service attack and forced Sega Pass service, a subscription-based platform that allows gamers to play unlimited Sega games online, to shut down on June 16. A "subset" of Sega Pass members, or 1,290,755 of them, had their e-mail addresses, dates of birth and encrypted passwords compromised during the attack, Sega said in an e-mail to customers.

None of the passwords were stored in plain text, the company asserted, but did not specify what encryption technique was used. Since the company uses an external payment provider, no personal payment information was stolen, "meaning your payment details were not at risk from this intrusion," the e-mail said.

"We deeply regret that such unauthorized access occurred," the game developer said Sunday in a statement.

The company discovered the intrusion when it investigated its databases after it was alerted by a customer. The company is currently conducting an internal investigation and has reset all user passwords. It advised users to change passwords on other Websites and services if the same login credentials were being used.

"There are no other verified incidents," Sega said. It did not have an estimate for when the service would be back online.

The attack follows the massive data breach at Sony after hackers brought down the PlayStation Network, Qriocity music and video service and Sony Online Entertainment in late April and early May. Over 101 million customer accounts were compromised, including credit card numbers, Sony said.

Video game companies are a "big and sexy target," Nick Percoco, senior vice-president at Trustwave and head of the SpiderLabs division, told eWEEK. The industry rakes in $10 billion a year, and attackers are likely selling the stolen information to people looking for e-mail lists to use in spamming and phishing campaigns, Percoco said.

The PlayStation Network attack was "an interesting wake up call for all of us," Sega CEO Mike Hayes had told Eurogamer in May, noting that the company had immediately launched a security audit of its network. Hayes at the time claimed the network was in good shape.

While the level of security in most organizations have not changed since a year ago, attackers are growing "more brazen" about going after big brands, Percoco said. The likelihood of a compromise has increased because attackers are more active and looking for more media exposure, he said.

Hacktivist group LulzSec had breached Nintendo's Website, exposed one million user accounts on Sony Pictures, and compromised game developer Bethesda's Website earlier this month. However, the group denied attacking Sega on its Twitter feed.

"@Sega - contact us. We want to help you destroy the hackers that attacked you. We love the Dreamcast, these people are going down," the group wrote.

Sega said it will make network security a "priority issue" and will increase the frequency of its security checks.

Rocket Fuel