Nintendo has confirmed that up to 160,000 Nintendo accounts have been accessed in a massive data breach that exploited accounts with no two-factor authentication enabled. (To be clear, there has been no data breach at Nintendo; these accounts were likely compromised because their owners reused passwords from other accounts.)
We previously reported that cybercriminals have been targeting Nintendo accounts (opens in new tab), with users receiveing emails that alerted them to the new logins. Given that such accounts can contain personal data as well as payment details, the cyber-attacks are also potential privacy breaches.
- Play the best Nintendo Switch games
- Save some money with the best Nintendo Switch deals
- Plus: This tiny gaming laptop could ease the wait for the Nintendo Switch 2 (opens in new tab)
Nintendo released a statement (opens in new tab) in Japanese, noting that hackers have been impersonating the “Nintendo Network ID” process from the start of April. This resulted in “illegal” logins to a swathe of Nintendo accounts.
The company said the data that could have been accessed is the user’s nickname, date of birth, gender, country/region and e-mail address. So far, it looks like no payment details were accessed.
However, the cybercriminals were sometimes able to make purchases via linked payment methods. This has lead to some people having their accounts charged for up to £100 (around $123) worth of digital items.
It's important to note that the malefactors could not actually see users' payment details in full, though, meaning that they could not steal credit card and PayPal info directly. However, Nintendo warns that users' financial information could be at risk if they employ the same username and password for both their Nintendo and bank or PayPal accounts.
Nintendo is now advising Nintendo account holders to reset their passwords when they get an e-mail notification from the company. And for those already logged in, they are advised to re-login.
In response to recent incidents related to some Nintendo Accounts, it is no longer possible to sign into a Nintendo Account using a Nintendo Network ID. We apologise for any inconvenience caused. Please visit our Support website for more information: https://t.co/GMrXr5OHW0April 24, 2020
Users should also avoid having the same password for their Nintendo account as they have for other services, especially payment services like PayPal.
If your account has been breached and someone has purchased a game using your details, Nintendo recommends you contact the company.
The Big N will then conduct an “individual investigation” and cancel the purchase. But be prepared to be patient as Nintendo noted: “We will respond. Please wait as we will proceed with the procedure in sequence.”
Nintendo also apologised for the data breach and said it will “make further efforts” to strengthen its security and ensure that similar events don’t occur in the future.
One way to prevent further intrusions is to ensure you have two-factor authentication (2FA) enabled for your Nintendo account. This means that you get a prompt on your phone with an extra code while logging in, thus making the process more secure. Here's how to set up Nintendo 2FA.