Sega's Pass portal was hacked at the end of last week, with around 1.3 million user details compromised but cardholder data was unaffected.
In a letter to users, it confirmed that the Sega Pass system had been offline since Thursday 16th June after it identified unauthorised entry was gained to its Sega Pass database.
It said: “We immediately took the appropriate action to protect our consumers' data and isolate the location of the breach. We have launched an investigation into the extent of the breach of our public systems.
“We have identified that a subset of Sega Pass members' emails addresses, dates of birth and encrypted passwords were obtained. To stress, none of the passwords obtained were stored in plain text.
“Please note that no personal payment information was stored by Sega, as we use external payment providers, meaning your payment details were not at risk from this intrusion.”
Richard Harris, managing director of Swivel Secure, said: “Even though these Sega passwords were encrypted, the reality is that technology has now become so fast that GPUs can be chained together on a home PC to crack the encryption, a job that would have required a supercomputer just a few years ago. For encrypted passwords to be even vaguely safe, they need to be between ten to 12 characters long, almost twice the norm.”
The finger was almost immediately pointed at hacking group LulzSec, who has hit gaming companies including Codemasters, Sony PlayStation and Nintendo in recent weeks. However it denied any involvement, saying on its Twitter feed: “We want to help you destroy the hackers that attacked you. We love the Dreamcast, these people are going down.”
In a release marking its thousandth tweet, LulzSec announced that by revealing what it was hacking and disclosing, it was better than not releasing something publicly.
It said: “What if we just hadn't released anything? What if we were silent? That would mean we would be secretly inside FBI affiliates right now, inside PBS, inside Sony. Watching. Abusing.
“Do you think every hacker announces everything they've hacked? We certainly haven't and we're damn sure others are playing the silent game. Do you feel safe with your Facebook accounts, your Google Mail accounts, your Skype accounts? What makes you think a hacker isn't silently sitting inside all of these right now, sniping out individual people, or perhaps selling them off? You are a peon to these people. A toy. A string of characters with a value.”
It went on to say that it was ‘sitting on 200,000 Brink users right now that we never gave out'. Brink is a first-person shooter video game developed by Splash Damage. LulzSec said: “It might make you feel safe knowing we told you, so that Brink users may change their passwords. What if we hadn't told you? No one would be aware of this theft and we'd have a fresh 200,000 peons to abuse, completely unaware of a breach.
“Yes, yes, there's always the argument that releasing everything in full is just as evil, what with accounts being stolen and abused, but welcome to 2011. This is the lulz lizard era, where we do things just because we find it entertaining. You find it funny to watch havoc unfold and we find it funny to cause it. We release personal data so that equally evil people can entertain us with what they do with it.”
It concluded by saying that it is ‘attracted to fast-changing scenarios' and ‘can't stand repetitiveness'. “This is the internet, where we screw each other over for a jolt of satisfaction,” it said.
In a second release, LulzSec said that its ‘battle fleet' is now declaring immediate and unremitting war on the freedom-snatching moderators of 2011, calling its actions ‘Operation Anti-Security'. It said that it encourages any vessel, large or small, to open fire on any government or agency that crosses their path.
“We fully endorse the flaunting of the word ‘AntiSec' on any government website defacement or physical graffiti art. We encourage you to spread the word of AntiSec far and wide, for it will be remembered. To increase efforts, we are now teaming up with the Anonymous collective and all affiliated battleships.
“Whether you're sailing with us or against us, whether you hold past grudges or a burning desire to sink our lone ship, we invite you to join the rebellion. Together we can defend ourselves so that our privacy is not overrun by profiteering gluttons. Your hat can be white, grey or black, your skin and race are not important. If you're aware of the corruption, expose it now, in the name of anti-security.”
It said that the top priority is to steal and leak any classified government information, including email spools and documentation, while prime targets are banks and other high-ranking establishments.