This is the first Stripe breach I've found where the vendor didn't even bother to set a host password. All of their money was at risk. It's a good thing I'm so handsome and honest. They also leaked a bunch of plaintext passwords in an especially galaxy-brained way.
Yes, if PII is involved it's common to run an audit like this. In addition to the access keys on the server image, Sega also accidentally published a database export containing PII. In order to write a comprehensive disclosure I have to investigate thoroughly.
And yeah, there's no branding or information on HackerOne. Even if this had been in scope, I would have thought twice about submitting anything. Our publishing standards match HackerOne ethical disclosure standards.
Sega Europe left AWS S3 creds laying around in a server image on downloads.sega.com. I was able to use them to enumerate a bunch of storage, dig out more keys, and mock up a spear phishing attack against the Football Manager forums.
All the keys and services are secure and the breach is closed.