Sega was hacked after security update

By Johnny Minkley Published 20 June, 2011

Why did post-PSN measures fail?

The hack that compromised the personal details of 1.3 million Sega users happened after the company had already tightened security in the wake of the PlayStation Network breach, Eurogamer can reveal.

The company promised over the weekend to "further strengthen [its] network security as a priority," as a result of last week's attack.

But "additional changes" had already been made to internal security as a direct response to the assault that brought down Sony's online services, affecting 100 million users.

Speaking last month, Sega West CEO Mike Hayes told Eurogamer: "We did a security audit as a result of this, which is probably six months earlier [than normal], and it was just a good housekeeping exercise.

"We made a couple of changes to some of our security systems. I'm sure most people have done exactly the same."

Hayes acknowledged that the PSN hack had been "an interesting wake up call for all of us," adding: "Fortunately we seemed pretty solid so we didn't have to do too many additional changes."

However, on 17th June Sega issued a statement to customers confirming its security had been bypassed: "Over the last 24 hours we have identified that unauthorised entry was gained to our Sega Pass database.

"We immediately took the appropriate action to protect our consumers' data and isolate the location of the breach. We have launched an investigation into the extent of the breach of our public systems."

The publisher confirmed that, while no financial information was stored, "email addresses, dates of birth and encrypted passwords were obtained."

This latest breach raises questions over the scope and implementation of Sega's internal security review, and will cause further concern for the industry, which has seen companies and services including Codemasters, Bethesda, Eve Online and Minecraft targeted by hackers in recent weeks.

In a statement issued to Eurogamer last week, Sega acknowledged: "The protection of data is an evolving process, as new defences are created so new threats emerge. We will make all improvements necessary as a result of this intrusion."

Speaking on the PSN hack last month, Hayes said: "I think it will just be seen in two or three months as a memory. We just have nothing but sympathy for Sony, because we don't care who you are, you don't want that sort of thing to happen.

"Corporations have problems, they all have problems, but once they're sorted out people just want to get back into gaming."

The Sega Pass service remains offline while the publisher conducts an investigation.

Picture of Johnny.

About Johnny Minkley

Johnny Minkley is a veteran games writer and broadcaster, former editor of Eurogamer TV, VP of gaming charity SpecialEffect, and hopeless social media addict.

Read more articles from Johnny by visiting the Johnny Minkley archive page.

You may also like...

Comments (37) Latest comment 11 months ago

Comments for this article are now closed, but please feel free to continue chatting on the forum!

  • KayJay #1 11 months ago

    Because nothing is 100% secure. No matter what security measure you put in place there is always a way in... :/
    Edited by KayJay at 20/06/11 @ 10:43

  • evanac #2 11 months ago

    I wish these hackers would just **** right off. Nobody is impressed! Why don't you play some games for a change, instead of just ruining things for other people?

    Wait, you could hack Gaddaffi's computer. Go and do that. And then **** right off. ;)

  • GamesProgrammer Verified Games Team Programmer, Eutechnyx Ltd. #3 11 months ago

    Its quite clear now that hacking attempts are probably being made on all big players in the games industry, and given enough time they will eventually get in, so hopefully the majority of these people will be caught before they get into Nintendo or MS and accounts are lost in the millions again. Still ive now changed most of my accounts to have different passwords and changes my details to fake ones where possible, dont give a shit if its against T&C's why do they need to know that information anyway, ive never once been sent a birthday present! Not even a card!

  • AaronTurner #4 11 months ago

    Sega says the passwords were encrypted but what does that mean? Does that mean the passwords are useless or that they are hackable? Are they easily retrieved from this encryption?

  • bumyoghurt #5 11 months ago

    LulzSec are not behind this hacking, but they were behind Sony's.

    They are doing it partly for Lulz, but also teaching us a lesson in thinking about what we sign up for. I don't want to sign up for all these bullsh*t 'community' games databases such as Rockstar Community or whatever it is called. I just want to game, not have my details stashed somewhere insecure.

    The only place that has my details is Microsoft, and that's my own laziness due to not wanting to buy cards every time I want MS Points. I just have to hope MS are slightly more savvy than their competitors. All signs are good so far.

  • bumyoghurt #6 11 months ago

    @4 - Any password that is encrypted is - by definition - hackable. It just depends if they got the encryption key, or if the key is easy enough to be broken, in layman's terms.

  • cloud_ix #7 11 months ago

    @3 I once got sent a wassssup card by budwiser on my 18th birthday. Best card ever

  • Seoh #8 11 months ago

    "they are teaching us a lesson"

    Bollocks!! The hackers are being twats and the whole thing has turned into a pissing contest over who can hack what. If these hackers really were trying to be noble they would not post the passwords and email addresses, just enough to prove they did it, not enough for someone to steal you on-line identity.

    So far the biggest risk to our personal details are not companies like sega or sony but the actual hackers themselves, therefore the easiest way to make data safe is to imprison all hackers.

  • login_name #9 11 months ago

    LulzSec might be under attack themselves. I believe that a few IDs have already been obtained and sent to the FBI. Not sure how true that is, I don't really follow all this crap. I do like the idea that these wankers are getting a taste of their own medicine though.

  • bumyoghurt #10 11 months ago

    Admittedly, LulzSec are grey-hat, but the have not posted the majority of the info they have taken. This Sega hack was not them, as stated before.

    It's made me think twice about what I sign up for, so I thank them for that. They are making sure these companies are doing things by the book.

  • bumyoghurt #11 11 months ago

    @9 - It's sort of true, there have been arrests in Spain and Holland- maybe Germany.

    Don't know if they are actually related to LS or not.

  • HyperTails #12 11 months ago

    I think that we've already established that whatever security measures are put into place, there's always some uber-nerd with the skills to crack it.

    Dissapointing that Sega strengthened its own security only for someone to come round and crack it, though. But these hackers going after games companies are taking the piss.

  • X201 #13 11 months ago

    @bumyoghurt

    Er.. actually the RockStar Social Club is bloody good, and doesn't deserve to be classed in the same group as websites that just want you to sign up to boost the web stats.

  • Nevfx #14 11 months ago

    As the very first poster said, nothing is 100% secure. Whats more, there will always be people with no life willing to spend there whole day looking for ways in.

  • BloodSaint #15 11 months ago

    These stupid hackers are causing publishers/developers to lose millions.. These arrogant pricks will get caught one day and will regret they ever hacked anyone.

  • bumyoghurt #16 11 months ago

    @15 - Ignorant comment alert!

  • BloodSaint #17 11 months ago

    These stupid hackers are causing publishers/developers to lose millions.. These arrogant pricks will get caught one day and will regret they ever hacked anyone.

  • DigitalDelay #18 11 months ago

    @5 - I don't need to be taught a lesson by some spoilt little rich kids thanks! If I and others want to join rockstar social club etc that's our decision. Just like joining a forum or website etc, or registering new products. Are they going to hack everyone we give info to, purely on the basis that it's teaching us a lesson for giving information out? It's a bit like saying - don't bother to buy nice things, nasty people might pinch them.

  • bumyoghurt #19 11 months ago

    Stop being big gay babies for a second and look at what I am posting.

    These 'hackers' are not doing it to teach us a lesson for giving our details out, they are forcing the customer, and the games companies to think much more clearly about our details and how they are secured.

  • Doctor_What #20 11 months ago

    It would be nice if all of our data was encrypted rather than just the passwords. It might make things a bit more tricky.

  • X201 #21 11 months ago

    "Stop being big gay babies for a second and look at what I am posting."

    You haven't quite grasped the EG community ethic, have you?

  • HyperTails #22 11 months ago

    @bumyoghurt

    You're a different class of retard.

  • bumyoghurt #23 11 months ago

    Internet Bullying. Classy.

  • Freek #24 11 months ago

    It's fine guys, only The Genesis was hacked.

  • ShiftyGeezer #25 11 months ago

    @AaronTurner - they probably mean hashed, same as PSN and every other website. Hashing is (theoretically) a one-way process, so the passwords shouldn't be recoverable from the data the hackers got, although one old hashing system has been compromised and can be reversed, but I doubt anyone uses that any more. Incidentally this is the same state with PSN, although Sony's poor communication led everyone to believe passwords were kept in plain text.

    @ article - The "100 million users" PSN hack most certainly did not affect 100 million users, only 100 million accounts, where plenty of users create multiple accounts.

  • FortysixterUK #26 11 months ago

    It's going to be the same group of hackers, they just select a new target every day.

    I'm looking forward to the day it gets reported on the news that a group of prolific hackers were caught and face jail time.

    Once in prison the only thing those little pratts will get hacked is their arseholes.

  • ToAks #27 11 months ago

    so when will the internet security be good again?
    i did my phone/bbs hacking bit in the 80's and into the 90's but when a friend of mine got busted we decided to stop , back then it was easier to hide due to all the equipment we could use and ofcourse the analog stuff....

    Now that everything is digital and everything is traceable according to the goverment, why on earth havent these guys been caught yet?... i know why and all but this is really getting out of hand and maybe providers and goverment etc should start to care more as even they have been hacked several times after the PSN incident (including the Pentagon).

  • bumyoghurt #28 11 months ago

    @26 - Incredibly naive and reactionary rubbish spouted by someone with clearly no knowledge of the subject matter.

    One has a natural reaction to 'hacking' in the form of fear. It's a scary thing, especially to those who consider themselves tech-savvy, such as gamers. This sort of keyboard warrior/Daily Mail turd that is spouted about 'locking 'em up' is just a manifestation of your fear.

  • Ranger101 #29 11 months ago

    It think lulzsec said it best themselves when they reminded everyone 'these are the ones you know about, these are the companies that have decided to go public. What about the ones you don't know about.'.

    And bumyogurt is right - there's a lot of naive commentary here, let's leave the effing and the 'locking up'/'get a job' comments for the Daily Mail website.

    And just to give you guys a bit of insight, most black-hats don't get caught through forensic evidence, they get caught through self-incrimination i.e. bragging.
    Edited by Ranger101 at 20/06/11 @ 13:40

  • thiagots85 #30 11 months ago

    PSN was hacked? OMFG!

    if not talked by this article, I would never know anything about PSN hack by this site

  • ShiftyGeezer #31 11 months ago

    @Geowold - not true. These are websites getting hacked on their servers, and not accounts getting compromised. It has nothing to do with Sony's loss of data. Even if it was hackers getting info from Sony and using that to access accounts on other websites, this is a month after everyone was told to change passwords. One or two days of delayed notification by Sony can't be blamed for every web-hack since! Companies have been getting hacked long before PSN and will be long after. PSN was just the biggest and hit mainstream media, so everyone's focus is wrongly on that, and not the bigger picture of net security in general. The fact HTTPS has been compromised is a way bigger problem enabling sites to spoof secure sites, but the media's made no song and dance about that.

  • pantherboy #32 11 months ago

    One good thing that will hopefully come out of all this is that people will think a little more carefully about what information they really need and what they have the capacity to protect.

    This is the real world, there are always going to be hackers, trying to appeal to their morality is futile - they all act for any number of reasons. If a company cant continually invest in keeping up to date in security to protect the information and track unauthorised access then they should not keep it – this applies to Sony more than Sega.

    Why a gaming company needs address, full date of birth etc, real names - the less information the better. At least Sega had the sense to offload the billing to someone who could protect it, turned out to be a smart idea.
    Edited by pantherboy at 20/06/11 @ 15:56

  • kangarootoo #33 11 months ago

    "It's made me think twice about what I sign up for, so I thank them for that"

    Christ, it takes someone to hack a company and put your details at risk for you to "think twice"?!?

    Some of us can consider what we sign up for all on our own, using something we naively call "common sense". I guess for someone with no common sense, an incident like this must be a welcome wakup call.

    Good luck crossing the road by yourself.

  • Architect_z #34 11 months ago

    It was all Robotnik's idea!

  • scuffpuppies #35 11 months ago

    " Sony's online services, affecting 100 million users"

    Wow Eurogamer, you keep adding numbers to that figure. It'll be "1 billion Sony users identity stolen" by Christmas. You guys are great for a laugh.

  • Geowolf #36 11 months ago

    http://uk.news.yahoo.com/lulzsec-identit...

    Some down more to follow hopefully.
    Edited by Geowolf at 20/06/11 @ 21:12

  • zubnut #37 11 months ago

    Grey-hat, Black-hat, Ass-hat...what's the difference?