Sega is the latest Japanese video-game company to come under hack attack. The company confirmed the theft of information belonging to 1.3 million customers from its database. That makes the Sega attack similar to the Sony PlayStation, Nintendo and Codemasters hacks of the past weeks.
In a statement written in Japanese, the company confirmed that names, addresses, e-mail addresses, and passwords of gamers were stolen from its Sega Pass web site on Friday. However, Sega was clear that credit-card numbers were not revealed.
"We sincerely apologize for troubles this incident has caused to our customers," said the statement. "An investigation has been launched to find the cause and channels used for the leakage."
LulzSec on a Vengeance
LulzSec, the culprit behind the Nintendo hack, denied responsibility for the Sega intrusion. Noteworthy is the fact that LulzSec has offered to find and punish the Sega database hackers.
"Well, it's bad news for those one-million-plus Sega customers as their e-mail addresses and dates of birth have been grabbed by the hackers. Those e-mail addresses could be used in phishing e-mails or targeted attacks designed to trick people into believing they really were from Sega," said Graham Cluley, a senior security analyst at Sophos.
"Sega has apparently reset passwords. Users would be wise to use different passwords on every web site they access, as once you get your details compromised in one place, your other accounts can begin to fall down like a pack of cards."
Everybody Getting Hit
Cyberattacks on governments, corporations and individuals are spiking. Sony's PlayStation Network, Lockheed Martin, PBS, Google's Gmail passwords, Nintendo and Citigroup's credit-card customers' files have all been hacked, causing concern and significant financial damage.
"Our opponents can attack at any time, using any method at their disposal, and only need to be successful once," say Jason Andress, author of Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners. "We have to be alert and react to every attack. This applies to every system, network and organization equally. Military, critical infrastructure, and corporate systems are all part of the ongoing fight."
And it's not just big companies and governments, either. The Anti-Phishing Working Group is reporting that more than one-third of respondents to a new web vulnerabilities survey were repeat victims of phishing. Thirty-seven percent reported their web sites had phishing or spoof sites planted on their web servers two or more times before, a statistic that reflects both the persistence of phishers and the difficulties of keeping them at bay.
"Phishers value compromised web sites highly because they are much harder for interveners to take down. They're confident that they'll be able to identify and exploit sites, and do so repeatedly," said APWG Research Fellow Dave Piscitello of ICANN.
"Victims are not mitigating exploits entirely or are not implementing adequate measures to keep them away," he added. "Keeping all components of a web site -- OS, web server, applications and content -- patch-current and applying the most secure configuration options possible could significantly reduce initial and repeat attacks."