“Hi,” begins an innocent-seeming note on Sega’s online network homepage. “SEGA Pass is going through some improvements so is currently unavailable for new members to join or existing members to modify their details including resetting passwords.”
All of which means: yep, they’re still down this morning, June 20th, after hackers reportedly tapped into Sega’s customer database last week and accessed birth dates, email addresses, and encrypted passwords. Sega acknowledged the breach yesterday, admitting the sensitive information of nearly 1.3 million customers had been compromised.
As usual—or what’s become usual per the rash of recent hack attacks against various companies—extra-sensitive financial customer data like credit card numbers wasn’t touched. So sayeth Sega, anyway.
Sega initially contacted customers late last week with an email noting the company’s online network had been taken offline Thursday, June 16th. Sega said it “immediately took the appropriate action to protect…consumers’ data and isolate the location of the breach,” adding that it had “launched an investigation into the extent of the breach.”
Another bit of intriguing info: the assault on Sega’s database occurred after it claimed to have put new security measures in place following the much broader and intrusive mid-April attack on Sony’s PlayStation Network. In an interview with Gameindustry.biz (via IBT) last month, Sega West CEO Mike Hayes claimed the attack on Sony had been “an interesting wake up call” for the company, and that after making changes to its security system, Hayes believed Sega’s security was “pretty solid.”
Who hacked Sega? No one (save perhaps Sega, per its investigation) knows. No one’s publicly claimed credit. In fact notorious hacker group LulzSec—responsible for a spate of recent attacks on organizations ranging from PBS to Sony to the CIA—acted as surprised as anyone, tweeting on Friday: “@Sega – contact us. We want to help you destroy the hackers that attacked you. We love the Dreamcast, these people are going down.”
But could that all just be LulzSec posturing? Toying with Sega and the rest of us? Did they actually do it? Can you trust a criminal organization (or—okay—self-styled disorganization) to be truthful when it’s one of the most brazen hacktivist cyber-perps?