Over the month of April, reports have spread regarding unauthorized logins on Nintendo accounts. This could range from attempts that were thwarted by two-factor authentication (or quick responses by account holders) to accounts having their associated funds drained by the unauthorized login. In response to these reports and some early investigating, Nintendo began pushing its “2-Step Verification” process on social media earlier this month.
Now it appears that Nintendo has tracked down the means by which the unauthorized logins occurred. According to a statement released on the Nintendo of Japan website, the logins were made possible by way of the Nintendo Network ID (NNID) login method. The number of compromised accounts was reported at around 160,000, with nickname/username, date of birth, country/region, and email address included in the information viewable by third parties.The same data associated with Nintendo accounts linked to affected NNIDs could also be viewable assuming that login attempts were not stopped by quick action or two-factor authentication.
It is not entirely clear from the translated statement if this indicates a data breach regarding these older NNID accounts or if it was due to a security fault in that older login process. Nintendo’s UK support page, however, does indicate that they have no current evidence to point towards a general data breach. It is still an early occurrence in North America, so there have been no similar statements made by Nintendo of America or Canada at this time.
In addition to disclosing the information which may have been exposed, Nintendo has disabled the ability to login via NNID and will be resetting the passwords of accounts that they suspect may have been compromised. Nintendo also reminded users that if their account shared a username, password, or email with other accounts that they should change those accounts as well as a precaution. Finally, they again reminded users that they should set up two-factor authentication on their account as a security precaution going forward.
For the security of all accounts, it is highly recommended that you utilize two-factor authentication whenever possible. In addition, the use of a password manager with randomly generated, strong passwords is also recommended where feasible.
