According to CNN, Hackers obtained hundreds of thousands of Nintendo accounts this April. Nintendo reported on Friday April 24, that since the beginning of the month at least 160,000 accounts have been breached. Since then, the Japan based video game company has apparently re-addressed their security and privacy vulnerabilities. Hackers gained access using others’ Nintendo Network IDs without permission. The company announced users will no longer need to use these IDs to log into their accounts, and that passwords on accounts that may have been breached will be reset.
Theories of a potential breach circulated throughout the month on social media like Twitter, as users noticed unusual account behavior. Players reported that funds went missing from their accounts. Some found unauthorized purchases of Fortnite’s virtual currency, V-bucks, on their account history. How much has been compromised in this breach is uncertain but it poses a major security risk. Over 53 million people worldwide own a Nintendo Switch, which is not the only console of Nintendo’s with online functions. Further exploitation of vulnerabilities in the system by the cybercriminals could impact millions of people.
How did they do it? The hackers were able to infiltrate Nintendo’s systems through a legacy system called the Nintendo Network ID (NNID). Players used NNIDs to access online content on the Wii U and 3DS, now-discontinued consoles. Nintendo kept support for the NNID system to allow older players to log into newer consoles the same way. Nintendo did not reveal how the hackers gained access, but in a report released Wednesday, security provider SpyCloud announced that it believes attackers used a combination of crimeware and older breached data to identify and take over accounts with vulnerable logins. In this type of credential stuffing campaign, criminals use account checker tools to quickly scan lists of stolen account credentials, typically derived from older data breaches. If a user’s credentials match those found in an older breach, the attacker can exploit the account or resell access to other criminals.
Unfortunately the hackers are able to see the date of birth, country or area, and email addresses of the individuals breached through their Nintendo accounts. The hackers also have access to payment systems connected to these accounts, including PayPal accounts or credit cards to buy products on the Nintendo Marketplace or website.
In response to the breach, Nintendo has discontinued NNID support. Users will have to use their email address to log into their Nintendo accounts now. The company also reset the affected user’s passwords and emailed them about the incident. The company is also asking people to set up two-factor authentication, adding a second method of verification such as linking to another app that will generate a code for each login. Enabling two-factor authentication is crucial to keeping your information secure and we always encourage it for every device, account, or log in you have.