"We have identified that a subset of SEGA Pass members' email addresses, dates of birth, and encrypted passwords were obtained. To stress, none of the passwords obtained were stored in plain text," Sega said in a statement.
"Please note that no personal payment information was stored by Sega as we use external payment providers, meaning your payment details were not at risk from this intrusion," the statement says. "If you use the same login information for other websites and/or services as you do for SEGA Pass, you should change that information immediately."
Sega did not say how the database was breached. In news reports later confirmed by Sega, the total number of accounts compromised was calculated at approximately 1.3 million.
LulzSec, the hacker group which has claimed responsibility for a number of attacks on gaming company websites and databases in recent weeks, said it did not attack Sega.
"@Sega - contact us. We want to help you destroy the hackers that attacked you," LulzSec said on Twitter Friday. "We love the Dreamcast, these people are going down."
Vinnie Liu, a partner at the security consulting firm Stach & Liu, said Sega might be naive in its assertion that the stolen passwords are safe because they are encrypted.
"[Sega said] it'd take quite a while longer to expose an encrypted password than it would to expose a password that'd been stored in plain text," Liu noted. "This would be true if by 'quite a while longer' they mean 'a few seconds longer.' Using modern password brute-forcing tools, offline cracking of a password takes mere moments, and considering the quality of passwords that we've seen from the other breaches, I think a few seconds would be generous."
Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.