Sega sent an email out on Friday stating that their Sega Pass system had been compromised by hackers. According to the email, they took the system down on June 16th after determining that unauthorized access to their servers had occurred. The accounts taken included email addresses, dates of birth and encrypted (not hashed or plain-text) passwords. As of this writing (6/20), Sega Pass – Sega’s online system for giving newsletters, demos and other perks – is still offline.
In a later update, Sega stated that 1,290,755 accounts had been compromised, and apologized for the inconvenience, while stressing that financial information was not taken. They made it known that they were going about further securing their network, and that they are investigating the source of the intrusion.
Lulz Security, famous for their prior hacks, have offered to help Sega find the culprit responsible for this data breach, stating on Twitter that they would help “destroy” the responsible party because they love the Dreamcast. This is consistent with their prior statements that Sega, along with Nintendo, had a special place in their hearts.
The Sega hack is only the latest in a long string of incidents dating back to the PlayStation Network hack on April 15th-16th. Recently, Bethesda, Nintendo, BioWare, EVE Online, Minecraft and gaming website The Escapist, among others, have suffered at the hands of hackers.
Analysis: I’m actually going to praise Sega here. It’s important to note that Sega handled this situation the way you’re SUPPOSED to handle a breach: lock it down, and immediately tell your customers. No pussyfooting for a week like Sony did, or getting just about everything – from the time it took to disclose, to the fact that they don’t even know how many financial accounts are compromised – wrong, like Citigroup has. Citigroup actually tried to tell people that they didn’t disclose information because they didn’t want to shock customers. Just that statement is more shocking than anything I could ever believe.
Obviously, it would be nice if Sega was more secure, and didn’t get attacked, but no system is 100% secure, so if they do happen, it’s important that 1) they don’t affect financial data, and 2) it’s immediately taken care of and disclosed. Sega did a good job here, considering the circumstances.