Sega Corporation has joined the increasingly long list of video game companies to suffer a data breach. In an email sent to members of its Sega Pass service, it admitted that the user accounts over almost 1.3 million users had been compromised.

Sega Pass System Breached

Sega Pass was taken down last Thursday after the breach was discovered. The hackers made off with the personal information of Sega’s 1.3 million users. This includes email addresses, home addresses, dates of birth and their encrypted passwords. In the email to its users, Sega stressed that the passwords were encrypted, not stored in plain text. It is not known if the passwords encryption was strong enough and whether they were salted. We know from previous security breaches that weak encryption means no encryption at all.

The website in question, which can be found on the domain is still offline. Users who visit the page are greeted with a message that tries to tone down the severity of the attack. Perhaps the only silver lining to this is that since Sega uses external payment providers, payment information does not appear to have been stolen.

For its part, Sega has assured its users that they have taken all the appropriate actions to mitigate the effects of the attack. The service was temporarily taken down, and all user passwords have been reset. They have since isolated the location of the breach and have launched an investigation into the extent of the damage.

Additionally, Sega Corp. has strongly advised users that use the same log in information with other services to change those passwords as soon as possible.

Attack Vectors

The method that the hackers used is still unknown. Sega hasn’t released technical details. As the hack was performed through the Sega Pass website, it could be any of a number of hacking techniques, including SQL Injection, Cross-Site-Scripting (XSS) and others. My suspicion is that SQL Injection has something to do with it. It is quite normal for entire databases to be stolen when such attack vectors are utilised.

Who was Responsible?

As yet, no one has come forward and claimed responsibility for the hack. Most probably the hackers are trying to keep their identity secret and will probably be trying to sell the stolen information to some underground criminal network.

LulzSec, a hacker group notorious for its attacks on Sony, Microsoft, Nintendo, Bethesda and many others, have categorically denied responsibility.

Instead, the group has offered a helping hand to Sega. In a tweet, a representative wrote: “Sega – contact us. We want to help you destroy the hackers that attacked you”.

LulzSec burst into the public consciousness back in May 2011, when the group hacked into the PBS website in the United States, stealing user data and posting a bogus news story. In June, they attacked the Sony Pictures websites, claiming to have seized over one million user accounts. In the same month, they attacked the Nintendo servers, but were unable to make off with any useful data.

The group does not appear to hack for profit. Sometimes its attacks are politically motivated, such as the PBS attack. However, in general, the group claims to simply take pleasure in causing mass fear and disorder. LulzSec has never claimed to take advantage of the data they steal. They claim to be helping draw attention to security flaws.

Lessons Learned

All the recent high-profile breaches have indeed drawn attention to the issue of Internet security. Sega is simply yet another victim in the long line of companies to have been attacked. Companies have an increased responsibility to take every necessary precaution to protect their users’ data. As a user, ones information is now as unsafe as it ever has been. Surely one thing is certain – now is not a good time to be an online gamer.


Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.