Nintendo Co., Ltd. is a multinational consumer electronics and video game company headquartered in Kyoto, Japan.
As a company more than a century old, Nintendo has been one of the world's largest video game companies by market capitalization, having created some of the best-known and top-selling video game franchises of all-time, such as Mario, The Legend of Zelda, and Pokémon.
And here, the company confirmed that around 160,000 user accounts of its gamers have been affected by hacking attempts.
Nintendo said that login IDs and passwords have been “obtained illegally by some means other than our service,” resulting in the attackers obtaining users' nicknames, date of birth, country, and email addresses.
The results of this include some accounts having experienced fraudulent purchases, like buying bundles for Fortnite's in-game currency V-Bucks.
To prevent further damage, the first thing Nintendo did was resetting the passwords for all affected accounts.
The case first surfaced after Nintendo users complained via Twitter and Reddit about suspicious activity on their accounts, sometimes including unauthorized logins and payments for a variety of digital goods on Nintendo's digital stores.
Nintendo asked the affected users to contact the company so it can investigate the purchase history and cancel purchases.
This was where Nintendo realized that an increasing number of Nintendo Account users have also been reporting
Nintendo found that attackers were abusing its Nintendo Network ID (NNID) legacy login system.
NNID was primarily used for the Nintendo 3DS handheld and Wii U console, both of which are already discontinued. NNID is different from a Nintendo Account, which is used for the Nintendo Switch.
The attackers discovered that a NNID can be linked to a Nintendo Account and used as a login option.
If the attackers were able to access a linked NNID, they could then access the linked Nintendo Account. And from there, they could have access to users' payment methods.
[お願い]昨日お知らせした通り「ニンテンドーネットワークID」になりすましログインと思われる事象が発生し、それを利用した「ニンテンドーアカウント」への不正ログインも確認しました。
お客様におかれましては、パスワードの再設定や二段階認証の設定をお願いいたします。https://t.co/Dy3fcYDOoZ pic.twitter.com/nAxlh4jxTF— 任天堂株式会社 (@Nintendo) April 25, 2020
Nintendo then disabled the ability for anyone to login into a Nintendo Account through a NNID, and urged all users to enable two-factor authentication.
After resolving the issue, Nintendo published the report on its Japanese website.
Nintendo did not provide further detail about how attackers had accessed NNID accounts other than saying that they were “obtained illegally by some means other than our service” since the beginning of April.
While some user data may have been breached and stolen by hackers, fortunately for users, credit card data was not accessed.
Affected users should be notified via email, and warned if if they've used the same password for their NNID and Nintendo Account, with Nintendo saying that “your balance and registered credit card / PayPal may be illegally used at My Nintendo Store or Nintendo eShop.”
“We sincerely apologize for any inconvenience caused and concern to our customers and related parties,” wrote to Nintendo. “In the future, we will make further efforts to strengthen security and ensure safety so that similar events do not occur.”
In a follow up, new evidence suggests that the data breach was worse than initially reported. Nintendo updated its findings, saying that the actual number of gamers who may have had their accounts illegally accessed by hackers was not 160,000, but actually closer to 300,000.
The updated information was relayed through the company's Japanese support site, where it also confirmed that it had reset the Nintendo Network ID (NNID) and Nintendo account passwords for all users affected.