Nintendo Switch accounts are getting broken into: What to do now

(Image credit: Tom's Guide)

Cybercriminals are targeting Nintendo accounts left and right, and if you don’t have two-factor authentication active on yours, you're just asking for trouble.

When I received the first email message that my Nintendo account had a new login in the United States, I assumed that my partner had booted up the Switch and had wanted to browse the eShop. When I got the second email message that my Nintendo account had a new login from China, I knew something was up. 

For those who haven't taken a Nintendo system online in a while, a Nintendo account is what lets you access the eShop, play Switch games online and log into Nintendo’s handful of mobile games. 

Like most other online gaming accounts, it allows you to save payment details, such as a credit card or PayPal account, making it a tempting target for malefactors.

Eurogamer reports that I’m not alone in my Nintendo woes; a Eurogamer staffer faced the same problems, and Twitter users have been weighing in with even more horrific stories. 

If you're lucky, as I was, a cybercriminal accesses the account, sees there’s nothing of interest there, and logs out again. But if you have payment details saved, you could find yourself facing down a spate of fraudulent purchases, particularly currencies for cross-platform games like Fortnite.

Nintendo hasn’t commented on the issue directly, but the company did tweet out a timely PSA about activating two-factor authentication (2FA), suggesting that the company is aware of what’s going on in some capacity. 

How to active 2FA on your Nintendo account

I’ll put this bluntly: If you have a Nintendo account, you need to activate 2FA. Simply changing your password is not a strong enough defense, as I learned the hard way.

In any case, 2FA isn’t hard to activate. Simply log into your Nintendo account on a web browser, then click “Sign-in and security settings” on the left-hand menu. On the bottom of the page, you’ll see an option that says “2-Step Verification settings.” Click “send e-mail,” and the Nintendo website will walk you through the rest of the process.

Basically, you’ll use a phone app called Google Authenticator to enter a six-digit code each time you log into your Nintendo account from now on. (It works on iOS as well as Android.) Since the Authenticator is tied exclusively to your phone, a third party cannot possibly log in, even if they guess your password.

Other ways to protect your Nintendo account

There are a few other steps you can take to keep your Nintendo account safe, although they’re not quite as effective as 2FA. 

The first is changing your sign-in method, which forces you to sign into Nintendo accounts with only your username. (This is harder to guess than your email address, particularly if cybercriminals picked up your login info from an old data breach.)

Furthermore, you can also remove all saved payment options from your Nintendo account. This means that you’ll have to input credit card information manually each time you want to buy a new game, but trust me, it’s better than having an intruder get ahold of your credit card info.

It’s not clear how cybercriminals got their hands on Nintendo login data. My money is on “combing through old data breaches and hoping that the usernames and passwords still work,” otherwise known as credential stuffing. But it’s always possible that an ingenious hacker has figured out how to access Nintendo’s databanks directly. 

In the meantime, 2FA will keep you safe. And remember: If you don’t activate 2FA, an impostor might. And getting that reversed is a real problem.

Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi.