Sigh: SEGA Join The Legion Of The Hacked

By Alec Meer on June 17th, 2011 at 6:38 pm.

See what I did there
UPDATE: Added SEGA’s official word on this below.

And yet it goes on. We might as well just have a ticker tape at the top of the site saying who’s been hacked, it’ll be quicker than posting every time… Latest game firm to suffer a security breach/attack is SEGA. It’s not just a DDoS this time though – their online gaming service SEGA Pass has been broken into, and details made off with. “We have identified that a subset of SEGA Pass members’ emails addresses, dates of birth and encrypted passwords were obtained. To stress, none of the passwords obtained were stored in plain text,” says the publisher. SEGA Pass seems to involve plenty of PC games, including stuff like registering for info on Total War and stuff like that, so it’s more than possible you’ve signed up at some point without entirely realising.

Lulzsec have claimed they’re not responsible for this one, which raises the alarming idea that there’s more than one group of people up to this kind of thing. SEGA have automatically reset everyone’s password already and taken the service offline for the time being, but if you’d signed up for one or some of their sites/games with login details you use for other stuff, you’d better go change everything. Again. You know the drill by now, right?

SECURITY ISSUE WITH THE SEGA PASS SYSTEM

LONDON, TOKYO & SAN FRANCISCO – (June 19th, 2011) – SEGA® Europe Ltd. has identified that unauthorized entry was gained to the SEGA Pass system and 1,290,755 customers’ information including SEGA Pass members name, email addresses, dates of birth and encrypted passwords were obtained.

We express our sincerest apologies to our customers for the inconvenience and concern caused by this matter. SEGA Pass is the service used to provide information about our new products to registered members and does not hold any customer financial information.

After the unauthorized entry was identified, we immediately stopped the SEGA Pass service and took emergency action to prevent further damage. This action included immediately contacting all our registered SEGA Pass users. We are now fully investigating the cause of the incident.

We have also examined the possibility of any other information loss from unauthorized access across our other services and can confirm there are no other verified incidents.

We will immediately report through the website of SEGA® Europe Ltd. (www.sega.com) should there be any further developments regarding this issue.

We deeply regret that such unauthorized access occurred. We will go on to further strengthen our network security as a priority issue and strive to prevent any potential recurrence.

__________________

« | »

, .

92 Comments »

  1. Shawnious says:

    HANDS OFF SEGA YOU FRENCH COMPUTER CHIP-FRYING NAZIS!

    • lurkalisk says:

      But don’t you know about all the freedom squelching techno-fascism Sega is responsible for? My word, are they ever to blame for things!

  2. Teddy Leach says:

    I don’t even know what password I used for SEGA.

    EDIT: Actually, I didn’t even know I had an account.

    • Napalm Sushi says:

      Likewise; that e-mail had me scratching my head for a while, and I still don’t remember doing anything online involving Sega besides buying Shogun 2 from them via Steam.

    • Teddy Leach says:

      Same here. It was also using my email that I hardly use for anything. Very strange. I can’t imagine myself signing up to anything using that email.

    • Gehrschrein says:

      Guys, guys, have you maybe signed up for the Empire co-op campaign beta?

    • Teddy Leach says:

      Not me, no. I must have signed up for SOMETHING, but I’ve no idea what.

  3. 8-bit says:

    cue a bunch of comments telling us that its OK because they are doing a public service for us by showing up security flaws lolololol……..

    god this is just pathetic now, does anyone honestly believe that Lulzsec (or someone involved in luzsec) aren’t responsible for this too? luckily they were stupid enough to attack the CIA a few days ago so hopefully this childish behavior can stop soon.

    • bglamb says:

      I find it incredible that anyone thinks the serious hacks have anything to do with Lulzsec.

      Why are people so blind to the fact that data is worth money?

      Just a list of 10,000 real e-mail addresses is worth money on the black market, let alone all of the relevant data that goes with it. Get a hundred thousand email/password configurations and even if only 1% of those work, you’ve got a gold mine.

      THIS IS ORGANISED CRIME AND IS MAKING THE PEOPLE INVOLVED A LOT OF MONEY.

      Stop pretending it’s just a bunch of kids being silly and wise up!

    • bwion says:

      I am, if anything, inclined to think that Lulzsec are a disinformation/distraction front for a professional identity theft ring.

      (I don’t necessarily *actually* believe this, but if I went to Conspiracy Theory land, that’s where I’d end up first.)

    • MiniMatt says:

      To be honest I’d be amazed and alarmed if there *wasn’t* more than one or two groups of people up to this sort of thing.

    • Soon says:

      Were I an international cracker of mystery, I’d have set up LulzSec as an umbrella for several other groups, allowing each to do what they want whilst LulzSec can claim responsibility. If any group is actually discovered, then everybody assumes they are LulzSec and the other groups just melt away into the shadows, possibly to set up again.

    • Raiyan 1.0 says:

      @Soon: Stop wasting your time around here and go write a script. ‘Cause that’s a conspiracy movie I would watch. :)

    • Christian says:

      I don’t know-

      I’d think people seriously interested in doing things like, you know, real ‘hacking’ or breaking into other systems for ‘serious’ business wouldn’t be childishly bragging about it on the internet. They would simply get the job done, nice and quiet. And then sell your data or break into something really worth stealing using that data.

      Like, let’s say, professionals do…

    • bglamb says:

      Well nobody is making a song and dance about most of the hacks. They only come to light 2 weeks later when the companies involved have to e-mail all of the people affected.

      That’s the difference between Lulzsec and organized crime.

    • meatshit says:

      That’s assuming the company is even paying attention enough to know they’ve been hacked. I wouldn’t be surprised if there’s many more announcements in the near future as companies, prodded by the Lulzsec publicity, decide to start looking through their logs.

    • kastanok says:

      “Stand Alone Complex – where unrelated, yet very similar actions of individuals create a seemingly concerted effort.”

      Seems to fit the circumstances.

    • lurkalisk says:

      To go off and attack targets like these, the professional electronic crime men must be getting desperate. Your turn.

    • Big Murray says:

      @bwion … some way to distract people, putting everyone and their mothers on high alert for potential hacking attempts.

    • lurkalisk says:

      Murray, have you no decency? I said it be YOUR TURN.

    • 8-bit says:

      you know I was kind of having a bad day when I came here and I guess I kind of snapped when I saw yet another hacking article, and now I look quite the fool for loosing my temper :\

    • Cooper says:

      “Lulzsec have claimed they’re not responsible for this one, which raises the alarming idea that there’s more than one group of people up to this kind of thing.”

      This is key.

      THERE ARE OTHER PEOPLE DOING THIS. And you will never kow until your accounts gets used by someone else.

      Apart from Lulzsec’s recent pathetic DDoS partying (and that really was pathetic – the average adolescent on /b/ can use a botnet), their hacking success have been publicised, and the data released has been PUBLIC (meaning you can check it yourself to see if you are in there…)

      There are SO MANY other people doing this AND YOU NEVER HEAR ABOUT IT
      (and the companies probably never know, or don’t tell you – any public annoucement by corporations has ALWAYS followed the lulzsec annoucement)

      As much of a pain in the arse Lulzsec are (and they are a big pain in the arse) at least it’s mostly public. Users of the inter-tubes and companies on it neeed this wake-up call.

      Lulzsec are, generally, doing a service for the idiots out there. If you’ve been using the same e-mail address and password for Sony, Bethesda et al. and PayPal, you are one of those idiots. If, after seeing these news stories, you have changed email addresses and now use a range of passwords, you should be thanking them.

  4. Bilbo1981 says:

    Set sail for Fail!

  5. Bitrayahl says:

    I think I signed up for Universe at War info? Like several years ago, maybe. I’m trying best to remember the last time I was interested in any Sega game.

  6. rareh says:

    It wasn’t lulzsec, they are big fans of the Dreamcast and so am i.

  7. Diogo Ribeiro says:

    This may sound weird, but…

    Can we actually acknowledge this is true? This might sound terrible to suggest, but it brings to mind the whole Assassin’s Creed 2 problem. Ubisoft, whether by intention or naivety, claimed their system was unhackable. Obviously, this played right into the hackers’ ego. They broke the system and the game was playable off torrents. I have no qualms saying I tried the hacked version before buying the official game: it worked, flawlessly, and I can vouch for Silent Hunter 5′s pirate version too.

    Before I get lost, what I’m trying to say is that, if there wasn’t talk about how Ubi’s system had been targetted for hacking; if there had not been rumors about how their abysmal server failure was due to hacks rather than poor system infrastructure; would companies not parade a “need” to “protect” consumers from hackers with DRM? Seriously, it’s a double-win for publishers and DRM providers: they “prove” someone attacked them, therefore they “prove” there is a need for DRM systems. Along the way, they might even “prove” the PC side of things is a pirate’s land and not worthy of their attention.

    Publishers will rarely, if ever, admit to releasing incomplete, faulty or plain wrong information. Games sales and worker treatment is an example – the former is brushed under the carpet, while the latter is self-congratulating accounting in the vein of “X millions sold” while forever being coy about the differences between sold and shipped, number of returns, sales for particular platforms (other than vague “best selling on platfom Y or Z”). I’m not even going to touch the DLC which, more often than not, is a misnomer as it’s already right there, on the disc. On the other hand, hacker groups have absolutely zero problems with admiting what they did.

    Anyway, i’m not a conspiracist, so yeah, maybe it’s a series of organized attacks. Yeah. Though, who would stand more to gain? Certainly not the hackers, as their reputation is getting increasingly damaged with this kind of news.

    • Tatourmi says:

      It would work if those hacks were related to DRM. This is not related to games, only to customer data. They would not get anything out of it DRM wise in my opinion.

    • lurkalisk says:

      Methinks you’ve confused “former” and “latter”.

      Anyway, I doubt this will have much of an impact on DRM issues, if only because of how unbelievably unpopular it is. It’s hard to justify something people won’t accept any justifications for.

  8. HeavyStorm says:

    Sega now. Next thing they will hack steam.

    And for those of you who think that’s improbable, let’s just remember the Half-Life 2 source code incident. Of course, after that, I think they invested a lot more in security.

    • Wulf says:

      Heh. Long memory. That was before Steam was actually a thing, so there was no need for the security you speak of, which is kind of a massive hole in your reasoning there. You’re suggesting security for an infrastructure that didn’t exist at the time. Remember that the code that was leaked was kind of early on into Half-Life 2′s development, and it was of the earliest alpha software there was, and looked absolutely nothing like the Half-Life 2 that was actually released.

      Since they started up Steam, I can imagine that Valve likely took a few security experts and white hat hackers under their wings, I can’t see someone as shrewd as Gabe not doing that. And while they won’t toot their own horn, I’d suspect that Valve would have a few very nasty surprises should someone try to pry their way in.

    • Raiyan 1.0 says:

      Steam Guard, anyone?

    • Recidivist says:

      @Wulf
      Steams release was 12th September 2003, HL2 source code theft was 19th September 2003. Steam had been out for a week ;)

      http://news.bbc.co.uk/1/hi/technology/3162074.stm
      http://en.wikipedia.org/wiki/Steam_%28software%29

      @HeavyStorm Lol I said the exact same thing back when Bethesda was hacked :P And funnily enough, someone also replied to me telling me that Steam wasnt out yet so their security wouldn’t have been as good. Silly people.

    • Tatourmi says:

      Steam is probably already in red alert, hiring people all over the place to ensure even more data protection. They probably are a target, but they are probably preparing for it.

    • lurkalisk says:

      I’d guess (an uneducated one) that Steam is more of a final boss, if anything.

    • Toolbox says:

      @Recidivist The guy who leaked the HL2 source code had gained access to Valve’s servers a few weeks before the actual hack, making it clean before the release of Steam. Not to mention that Steam one week after release is hardly the same software it is today.

  9. Fumarole says:

    This is the first time any of these incidents has affected me. Oh noes!

  10. itsallcrap says:

    I don’t know whether they’re deliberately leaving Steam alone or it’s just harder to crack, but I’d say now is a good time to delete and stored card details you may have on there.

    • Wulf says:

      I think it’s more that Gabe, unlike so many other company heads, would be shrewd enough to hunt around for some real software geniuses, to implement things in Steam that would give potential hackers nightmares.

      In fact, we’ve already seen evidence of that. VAC et al.

    • konrad_ha says:

      Good point, I completely forgot about that.

    • tomeoftom says:

      I do trust Steam quite heavily, but thanks for reminding me – I’m definitely scrubbing that shit.

    • RiptoR says:

      I thought Steam only stored credit card info locally, but then again, I could be completely mistaken about this.

  11. salejemaster says:

    take that sega, in the name of streets of rage remake :))))))

  12. jonfitt says:

    I see what you did there Alec. Very good.

  13. konrad_ha says:

    One thing we can all take away from this: don’t use the same password twice, ever.

    Create a system in your mind that at least varies part of your passphrase(!) based on where you use it. Could be anything really, e.g. taking the first and last letter of the domain where you login but shifting them and inserting them in the second and fourth position of your passphrase. Be creative!

    It’s really time to come up with your personal passphrase-system. “123456″ just doesn’t cut it anymore.

    • Binman88 says:

      Sensible^

      I’d also recommend people take a look at LastPass for password generation and saving.

      I was using fairly cryptic 7 or 8 character passwords with numbers and upper and lower case letters before, but I was re-using some of them and often found myself resorting to the easiest to remember password when signing up for something in a hurry. Now I generate unique 16 character passwords for each site I visit. Probably a tad overkill, but it’s great for peace of mind.

    • Christian says:

      Just to add to this:

      I don’t know LastPass as I use KeePass, but combine one of those with a strong master-password, dropbox and an app for your smartphone, and you’ll never have to worry about forgetting your passwords again.

    • droid says:

      Roboform or sitepass also work.
      See also: How I would hack your weak password, or why just encrypting the passwords doesn’t save all users.

    • Faxmachinen says:

      A bit overkill? I consider 120 bits a minimum, and I’ll happily feed it as many character as it’ll take. However, doing this reveals just how atrocious and unhelpful most password forms are. Did you know that Hotmail passwords have to be alphanumeric and 16 characters or less? Me neither, I had to work it out by trial and error.

    • Jake says:

      I personally use Lastpass but Lifehacker had some decent advice on picking a password: http://lifehac.kr/jwzVER

      Although I am sure there are more secure ways to make a password, this method would at least be one you can remember.

  14. westyfield says:

    For fuck’s sake.

  15. Christian says:

    So. This might be used as another argument against having to sign up with every single fucking company I buy a game from just to be able to play their games.
    Come on. Isn’t entering a serial-number enough?

    If I want to be your social-media-buddy, I’ll find you.

    Apart from that: what is going on right now? Is this just because the media have picked up this topic suddenly (assuming that there is always someone breaking into something somewhere) and the companies now simply have to admit having been compromised, or was there really an increase in these activities during the last few weeks (and I’m not talking about that kiddie-style DDOS-stuff LulzSec have been doing lately)?

  16. Raiyan 1.0 says:

    What a shame.

  17. Clean3d says:

    Hackers and hacking have already become terms I don’t take seriously. This is due to high-school buddies who claimed they could “hack” by guessing their friends’ passwords, and the fact that most folks don’t have a clue what hacking entails and will burst into a panicked frenzy of “ohmygosh, I’ve been *HACKED*?!” if I point out to them that it’s not safe to open all email. I respect those who are actually dedicated to their craft, though.

    I suppose it’s easier for me to brush this off, however, as I use Linux and everyone knows Linux users don’t play games.

    • Gundrea says:

      Actually 90% of hacking(or cracking or black hat or whatever you prefer to call it) is social engineering.

  18. vanilla bear says:

    Does anyone know what my Sega account might have been? The only place I can think of that I’ve seen the logo is on Total War games – did we have to make an account on Empire?

    Edit: Lulzsec are reportedly offering to “take down” whomever hacked Sega because they “love the Dreamcast”

    • Ice-Fyre says:

      Football manager, or any forum to do with Sega

    • Teddy Leach says:

      I really do love how no-one seems to know why they had an account.

    • NaFola says:

      Are you saying that Sega purchased all the data that has been stolen from other companies, and then added it to their own databases before claiming “oh no, we’ve been hacked too”, to throw everyone off the scent (as well as then confirm all the data that is still valid)?

    • vanilla bear says:

      It was the Empire Total War Coop Beta that was my undoing. However, the sign up email didn’t tell me what password I might have used, and of course the SEGA PASS website is down for “improvements” so no prospect of finding out there.

      :(

    • FunkayM says:

      Going back through my older emails searching for Sega reveals that the only thing I signed up for was the Total War forums at TotalWar.com.
      I may (probably) be wrong on this but I seem to recall vaguely that when I registered there was some way to link your Steam profile to the account for stat tracking.

  19. Tei says:

    Damnit… I have received the email. It seems I have account on every game platform that will be cracked this year :-P

  20. psyk says:

    http://www.neowin.net/news/report-lulzsec-tried-to-blackmail-ceo-of-data-security-firm

    Just because I feel that piece of news should be spread around a bit more.

    • 0p8 says:

      if you read the chat log that karim didnt post on his site, you might change your mind about whether or not he is completely innocent………not accusing or defending anyone but its good to see all the facts………… just saying.

    • psyk says:

      The one released by a group of criminals because he wouldn’t do what they wanted.

      “4. I am not surprised by this attack; or the information dump on me; or their slanderous statements against me and my company. This is precisely what they threatened me with – in addition to other things, including allusions to physical harm to me and my family – if I did not cooperate with their demands.”

      Did you bother to read up on what unveillance actually does? mmmmmmm I wonder why they got targeted.

    • 0p8 says:

      Of course i know what they (unveillance) do.
      my point is that ceo guy never said that the log was fake, and if it was a fake designed to falsely incriminate, dont you think they would of done a better job (it was pretty vague, but quite damning).Also the claim that it was a sting in order to humiliate him and show white hats as corrupt, is entirely plausible. But at the end of the day this is purely speculation.

  21. pupsikaso says:

    I DON’T know the drill. What do I have to do? HOW do I even find all the places where I need to change my security information? There’s so many now…

    • psyk says:

      Pick accounts that matter to you
      Improve (10+ chars/caps/symbols and numbers “d7jf6Ou3eS%CI^18″ ) and make each pass unique

    • Tei says:

      Or just make long passphrases with fake words that you invent on the spot.

      “my sportagans is malitagans”

      “engendruscus malandruscus”

    • pupsikaso says:

      No, I know how to make good passwords. The password that I use is very strong… but thing is I use it for everything… and I’ve got accounts on like all over the internet…

    • RC-1290'Dreadnought' says:

      A password that you use for everything is not a strong password. After all, to find out what your password is, someone only needs you to sign up on his or her service.

    • pupsikaso says:

      You want me to keep a different password for the dozens upon dozens of websites and forums that I sign up for? How in the world do you expect anyone to remember that many passwords??

    • JFS says:

      Use a piece of paper and a pencil to write it down, then put it in your desk. No hacker on Earth will manage to break into that, unless he becomes a burglar, but that is an entirely different topic.

  22. The Sentinel says:

    This is getting farcical. Sigh.

  23. Turkey says:

    I skyped all their files and sent them to my inbox.

  24. MrGreen72 says:

    My guess is that after the Sony fiasco, a lot of cave dwellers googled “SQL injection” and discovered that just about any idiot can hack into the DB of a poorly programmed web site.

  25. RDG says:

    Correct me if I’m wrong, but I don’t really see the urge to change all my passwords everywhere.

    * The passwords were not stored as text. Which means it will take some time to decrypt, and that is even assuming whoever broke in is even interested in the passwords and not just in the active e-mail addresses.
    * Judging from the enormous amount of people who seem to have received the Sega e-mail, the list must be enormous. The odds of your account information being used will be quite small.
    * Only websites which allow you to log in using your e-mail address are compromised. Whoever owns the database right now still doesn’t know your username for other websites.

    As always, make sure your e-mail address is protected by the most difficult and unique password you can think of, as you can reset all your other passwords through your e-mail. Never use your e-mail password for anything else.

    • TillEulenspiegel says:

      You’re wrong. Unless they’re using bcrypt for hashes – and very few sites are – cracking passwords is relatively quick these days. Especially if we assume that the culprits happen to also control a network of zombies that they use for DDoS, etc.

      At best, you have a grace period of maybe a month or two to change anything that used the same password, depending on the strength of the password in question. Expect weak ones (eg, a dictionary word plus a digit) to be cracked in a matter of minutes.

      And once the password is cracked, I’d assume the worst: that they have automatic scripts to use that account information to harvest all your data in every location they can think of.

      Lesson: never, ever use the same password twice. LastPass makes this extremely easy.

    • NaFola says:

      With all the data that has been taken, the hackers can easily crunch some numbers to work out the most common passwords, and crack them first. The scary thing is, this also means that they can add a lot more entries to any dictionaries they use, resulting in less time for cracking passwords in the future.

      I’d love to analyse that data to see the most common passwords for gamers (to see if the patterns differ to the norm/other social groups).

      So in response to your statement about not changing passwords – I still would, as it may be a more common password than you think.

      They may not have your username, but a lot of sites also allow you to use your email address to log in instead.

      Just stuff to bear in mind…

    • NaFola says:

      Thanks for the link, interesting reading and saved me a job. It is indeed sad, but not surprising either :( I hadn’t even read up enough to know that some of the passwords were stored in plain text, that was about the only thing that shocked me!

    • RDG says:

      @TillEulenspiegel

      That is basically what I am saying. The keyword is ‘everywhere’. I don’t see the need to change my password on sites where I need a username to log in. I also said that it will take some time for them to decrypt your password before they can use it. Regardless of how they stored it, anything can be decrypted offline brute-force by generating a hash of every single password imaginable and mirroring that list with the encrypted passwords. Once they find out which encryption is used, it will take a few days depending on how big the list is.

      I find using a different password for everything counter-productive. I use a unique password for my e-mail since my e-mail can recover and reset all the other ones. Sites that store credit card information have a different password which I recently had to change thanks to the PSN fiasco. Now it seems my standard forum password is void thanks to the Sega hack. So I am spending some time figuring out which sites I can log in without a username and I care enough about to bother about in the first place.

  26. Scatterbrainpaul says:

    It’s all very well these companies saying going and change your password for all other sites you’ve signed up to. I’ve been using this email address for 10 years, fuck knows how many gaming sites and online retailers i’ve signed up to it with.

    Getting pissed off now

  27. NaFola says:

    It wouldnt suprise me if a lot of these companies have been hacked previously/many times over, but after the initial sony hit, it has alerted their security to it now, and made it less damaging to admit anyway.

    • 0p8 says:

      you are absolutely right.
      possibly, the only reason we’ve known about some of the more recent ones, is because they were intentionally made public by the hackers.

  28. pipman3000 says:

    good. sega is terrible and ruins franchises for a living (ever notice how the total war series started to suck once sega branded their name on it?)

    • TheEddevilish says:

      Since the first total war was published by Sega, I can only assume you think the series has always sucked.

    • Davie says:

      I’m sorry, sir, you must clearly live in an alternate universe where Shogun was the crowning example of the series. I pity your misfortune.

    • pipman3000 says:

      shogun was published by EA while pre-evil activision published medieval 1 and rome. sega only started publishing them around the time barbarian invasion came out.

      you must be thinking of some repackaged copy you saw in a store or you are very confused.

  29. necromental says:

    The missus just mentioned that perhaps some may jump on the bandwagon by proclaiming they’ve been hacked for free publicity…

    • Raiyan 1.0 says:

      If they were looking for publicity, they would claim there was a cracking attempt which was foiled by their amazing security.

      (Which in turn would attract real crackers to take an interest in them.)

  30. Davee says:

    Talking of crazy conspiracies; someone told me there’s a theory that LulzSec is hired by political activists and only exists to do as much damage and noise as possible. This to justify the controversial US law proposal concerning hacking/cracking as a very serious crime (and other apparently internet-freedom-infringing things, I’m not familiar with the details of this law though, so I can’t say for sure).

  31. pipman3000 says:

    Alt Headline: SEGA security as bad as their games