Sega Pass hacked, customer details leaked

Sega has become the latest gaming company to fall victim to digital ne'er-do-wells, with the company's Sega Pass system having been cracked wide open by forces unknown.

In an e-mail to members, Sega admits that recent downtime on the service - which has been unavailable since yesterday - was caused by a security breach. "Over the last 24 hours we have identified that unauthorised entry was gained to our Sega Pass database," the e-mail reads.

"We immediately took the appropriate action to protect our consumers' data and isolate the location of the breach. We have launched an investigation into the extent of the breach of our public systems."

That investigation has revealed that attackers have obtained a 'subset' of the Sega Pass database, including e-mail addresses, dates of birth, and the encrypted password strings of a number of members.

"To stress," Sega points out, "none of the passwords obtained were stored in plain text." While that doesn't mean the service's users are safe - those using weak passwords will be vulnerable to a dictionary attack on the encrypted strings - it serves as partial mitigation.

Thankfully, no credit card details are included in the attack, as Sega uses an external payment provider to handle all online transactions.

"If you use the same login information for other websites and/or services as you do for SEGA Pass, you should change that information immediately," the company has advised its users.

Sega is now the latest in a growing chain of computer games companies that have had their systems pillaged by attackers, including Codemasters, Nintendo, Sony, Bethesda, and others. Sadly, the attacks show no sign of stopping any time soon.

The full text of Sega's e-mail can be found over on page 2.

As you may be aware, the SEGA Pass system has been offline since yesterday, Thursday 16 June.

Over the last 24 hours we have identified that unauthorised entry was gained to our SEGA Pass database.

We immediately took the appropriate action to protect our consumers’ data and isolate the location of the breach. We have launched an investigation into the extent of the breach of our public systems.

We have identified that a subset of SEGA Pass members emails addresses, dates of birth and encrypted passwords were obtained. To stress, none of the passwords obtained were stored in plain text.

Please note that no personal payment information was stored by SEGA as we use external payment providers, meaning your payment details were not at risk from this intrusion.

If you use the same login information for other websites and/or services as you do for SEGA Pass, you should change that information immediately.

We have also reset your password and all access to SEGA Pass has been temporarily suspended.

Additionally we recommend you please take extra caution if you should receive suspicious emails that ask for personal or sensitive information.

Therefore please do not attempt to login to SEGA Pass at present, we will communicate when the service becomes available.

We sincerely apologise for this incident and regret any inconvenience caused.

We are contacting all our members with these recommendations.

If you have any further questions please contact SEGA customer support on csescalations@sega.com