Back on April 24, Nintendo released a statement via the Nintendo of Japan website stating it had discovered the means by which Nintendo accounts had been accessed. This had been found to be linked to the old Nintendo Network ID system of the 3DS and Wii U and those who had linked that old ID to their new Nintendo accounts for Switch. At that time, they believed that approximately 160,000 accounts had been compromised via this method and took the Nintendo Network ID login method offline to prevent it going forward.
Now, just a month and a half after that initial statement, Nintendo has updated the webpage with further findings from the investigation. It was discovered that the number of compromised accounts were almost double that initial finding. Approximately 140,000 additional accounts were found to be compromised bringing the total number of accounts to 300,000. This has lead to Nintendo stating that they “are taking additional security measures,” though they do not indicate what those sorts of measures may entail.
Nintendo is still in the process of refunding those who were compromised across the globe. Most have already received their refund, however, there are still a few yet who have not been processed. Regardless, Nintendo is working to process them as quickly as possible.
All indications thus far still indicate that the breach was not actually on the part of Nintendo themselves, but rather the information was obtained via a means other than Nintendo’s own systems. This would seem to be corroborated by the additional information Nintendo provided with this update. They stated that even with 300,000 accounts compromised, it still only constitutes less than 1% of all NNID accounts worldwide. A direct breach of Nintendo would likely have affected significantly more users. Most likely, this is a case of users having the same username and password across multiple services and it was compromised elsewhere and is now part of a list that people use to attempt brute force attacks.
As I mentioned last time, for the security of all accounts, it is highly recommended that you utilize two-factor authentication whenever possible. In addition, the use of a password manager with randomly generated, strong passwords is also recommended where feasible.
