Nintendo users are being forced to change passwords following a data breach that has affected 160,000 people. Through a security weakness involving the Nintendo Network ID login system, hackers were potentially able to gain access to player nicknames, dates of birth, countries, and email addresses. Further, third parties may have used the hacked data to make unauthorized digital purchases at Nintendo’s electronic stores.
On its Japanese website (English translation) on Friday, Nintendo announced that hackers were able to use login IDs and passwords obtained illegally to impersonate accounts via the Nintendo Network ID (NNID). The company confirmed that 160,000 accounts have been affected and that certain information may have been viewed by a third party.
Nintendo also said that the registered credit cards or PayPal accounts for users who linked their NNIDs with their Nintendo accounts may have been used illegally at the My Nintendo Store or Nintendo eShop. However, the company said that no credit card information was stolen.
On Monday, ZDNet reported of complaints from many Nintendo users that their accounts had been hacked from locations around the world and that some of them had lost money as a result. The account takeovers apparently began around mid-March but hit a peek last weekend.
SEE: Cybersecurity: Let’s get tactical (free PDF) (TechRepublic)
In response to the breach, Nintendo said that it’s removed the ability of users to sign into a Nintendo account using NNID. Designed as a login method for older Wii U and Nintendo 3DS devices, NNID offered a way for users to link their old accounts to a Nintendo profile on newer devices. Hackers apparently took advantage of that process to break into such a larger number of accounts.
In its statement, Nintendo said that it is notifying affected users by email. The company is also resetting the passwords for such accounts, so you’ll be prompted to change your password the next time you sign into the Nintendo website. If you’ve used the same password for other sites and accounts, you should change those as well.
“Changing your password is definitely the right start,” Tyler Carbone, chief strategy officer at secure provider Terbium Labs said. “The other thing users need to remember is that with this password exposed, it cannot be trusted for any other services either, so they need to make sure they aren’t reusing it.”
If you don’t receive an email or prompt to reset your password and are still concerned, check your Nintendo account. Sign into your Nintendo account website. At the User Info screen, look at the section for Linked Accounts, and see if the Nintendo Network ID shows up as linked. If it’s not, that’s a good sign. But whether or not your account has been affected, you should still take certain security precautions.
Change your password
To manually change your password at your Nintendo account page, follow these steps.
- Click the option for Sign-in And Security Settings.
- Click the Edit button next to Change Password.
- Enter your current password, and click OK.
- Type and then retype your new password, and click Submit.
Enable 2-step verification
If you’re not already using 2-step verification, now is the time to enable it. You’ll need Google Authenticator for this, so download and install the app for iOS or Android if you don’t already have it.
- At the Sign-in And Security Settings screen, click the Edit button next to 2-Step Verification settings.
- Click the button for 2-Step Verification setup.
- Confirm your email address, and click Submit.
- Enter the verification code sent to your email, and click Submit.
- Open Google Authenticator on your phone, and scan the QR code displayed on the screen.
- Enter the code shown on your phone, and click Submit.
From now on, you’ll need to enter both your password and the code displayed by Google Authenticator for your Nintendo account anytime you sign in.
“It’s worth noting that this breach was related to accounts with NO two-factor authentication,” Carbone said. “That’s how attackers got in, and then spread. So, yet again, we repeat the story we tell over and over–basic cybersecurity practices and hygiene are so essential. It’s the simple stuff that can deter events like this. Two-factor authentication just shouldn’t be optional anymore.”
Change your login name
Using your email address as your login name can be problematic in the event of a data breach. You can change this to something else, thereby hiding your email address from other people. To do this at the Sign-in And Security Settings screen, follow these steps.
- Click the Edit button next to Sign-in method.
- Verify your email address.
- Choose the option for Sign-in ID Only, and create the ID you wish to use.
Watch out for scams
The data breach potentially compromised data that can be used against you, such as your location and date of birth. Be wary of phone calls, emails, or notifications that may try to exploit these details.
“If things like location are now exposed, that means that other scams targeting these individuals can be assumed to have that information at their disposal,” Carbone said. “If you’re in this group, and you get a call claiming to authenticate by knowing your birthday and address, for example, you need to be on the lookout for that. That’s the particularly damaging part of breaches like this to the end users. It’s not just the easily-reset password that’s exposed but also more permanent information that gives bad actors an expanded attack surface, and which can’t be so easily changed.”
Be aware of companies and products with newfound popularity
Companies and brands that are hot can be an inviting target for cybercriminals. Keep that in mind if you’re using an account in this type of scenario.
“Nintendo, like Zoom, is under something of a microscope right now,” Carbone said. “Nintendo’s recently-released ‘Animal Crossing: New Horizons’ game for the Nintendo Switch came out in March, just when people were required to stay home, and so has done very, very well. This means that any attention on Nintendo is magnified–both because the company is in the media much more, and also because it has a glut of new users right now. It’s always important to react carefully to a security breach, but even more so in a case like this, with both users and publicity at highs.”