Nintendo confirmed that 160,000 accounts have been accessed after login credentials were ‘obtained illegally’ by hackers.
Earlier this month, some Nintendo users started reporting that their accounts had been hacked and accessed from remote locations around the world.
According to ZDNet, many of these users reported losing money from the credit card or PayPal accounts associated with their Nintendo accounts. The publication said that these attacks began around mid-March and continued into April.
Affected users began receiving email alerts notifying them that unfamiliar IP addresses had been accessing their Nintendo profiles. When ZDNet covered the news on 21 April, it was not known if the hacking was the result of leaked passwords, brute-force attacks or password spraying.
However, some users said that their passwords were complex and unique to their Nintendo accounts, which raised concerns of a potential breach.
Nintendo’s statement
Today (24 April), Nintendo confirmed the breach, saying that user login IDs had been “obtained illegally by some means other than our service”. The company said this had affected around 160,000 accounts.
The gaming company is now disabling the ability to log into a Nintendo account through a Nintendo Network ID (NNID) – the old login IDs used for 3DS and Wii U devices.
The Nintendo Switch console uses a newer Nintendo account system that allowed users to link their older accounts, but the company has now stopped this as a precaution.
It is also resetting passwords on accounts that have been affected, and advising all users to set up two-step verification for their accounts to prevent future intrusions.
The company will contact users that have been affected through email to warn them that using the same password for a NNID and Nintendo account could result in your balance, registered credit cards and PayPal accounts being “illegally used” in the My Nintendo Store or Nintendo eShop.
Fraudulent purchases
Numerous Nintendo users have reported strange activity on their PayPal accounts in recent weeks, claiming that hackers were purchasing Nintendo Switch games and Fortnite’s in-game currency.
High-profile gaming figures have said that they were affected by the attacks, including the founder of LootPots gaming news and the editor of ArsTechnica’s game reviews.
ZDNet also spoke to a source in the threat intelligence community who identified advertisements posted by hackers selling Fortnite V-Bucks acquired from Nintendo Switch accounts.
One user tweeted earlier this week: “My Nintendo [account] got hacked a few weeks ago but I caught it fast enough and my BF’s account just got hacked yesterday. This has been happening [to] a ton of people and most cases result in $100-plus charges for Fortnite currency. Would highly suggest setting up [two-factor authentication] ASAP.”
My nintendo acc got hacked a few weeks ago but I caught it fast enough, and my bf's account just got hacked yesterday. This has been happening to a ton of people and most cases result in $100+ charges for fortnite currency.. Would highly suggest setting up 2factor ASAP
— シリア☆ (@cillia) April 19, 2020
Nintendo has asked any users who have lost money through the attacks to contact the company to cancel purchases and enable it to investigate purchase history.