Nintendo data breach reportedly caused by credential stuffing

Attackers used an account checker tool to identify Nintendo accounts with compromised and vulnerable login credentials, says SpyCloud.

How consumers can defend against credential stuffing
61:56:40

The recent data breach that hit Nintendo affected 160,000 people, resulting in account takeovers and financial losses for a host of users. Now, a security firm has revealed what it says was the cause of the attack.

In a report released Wednesday, security provider SpyCloud announced that it believes attackers used a combination of crimeware and older breached data to identify and take over accounts with vulnerable logins. In this type of credential stuffing campaign, criminals use account checker tools to quickly scan lists of stolen account credentials, typically derived from older data breaches. If a user's credentials match those found in an older breach, the attacker can exploit the account or resell access to other criminals.

Through its PR agency, Nintendo would neither confirm nor deny SpyCloud's findings, instead referring TechRepublic to a support web page about the incident. However, SpyCloud said that it often works with law enforcement and was able to provide information that resulted in the engagement of a kill switch in the source code used in the Nintendo breach. This led to the potential identification of the person who distributed the account checker tool used to test the lists of stolen credentials against Nintendo online logins.

SEE: Checklist: Security Risk Assessment (TechRepublic Premium download) 

The Nintendo accounts affected by the breach were vulnerable because people were using passwords that had been exposed in previous data breaches. SpyCloud said that the checker tool was able to extract specific billing and account information from the breached accounts, including Gold Points balance (points that allow you to buy Nintendo Switch digital games), Nintendo Store or Nintendo eShop balance, PayPal subscription ID, credit card type (Visa, Mastercard, etc), card expiration date, currency denomination, the first six digits of the credit card number, and the last four digits of the credit card number

At this point, the functionality of the checker tool used against Nintendo is broken due to changes the company made in response to the incident. After Nintendo saw a rise in account takeovers, the company started notifying users, resetting affected passwords, and urging people to enable multifactor authentication and avoid reusing the same passwords. Nintendo also severed the ability to use a Nintendo Network ID to sign in to a Nintendo Account, a weakness that paved the way for the attack.

To help organizations protect themselves and their users from credential stuffing attacks and account takeovers, SpyCloud offers the following advice:

  1. Educate users about security hygiene, including password security.
  2. Align with password security guidelines from the National Institute of Standards and Technology (NIST).
  3. Constantly monitor user credentials for weak or stolen passwords (including employees, consumers, and third parties).
  4. Force the use of multifactor authentication (MFA) everywhere.

Of course, users must also take responsibility for safeguarding their own online accounts and should pay attention to the following recommendations from SpyCloud:

  1. Create a unique password for every online account.
  2. Choose long, strong passwords.
  3. Use a secure password manager to keep track of passwords.
  4. Enable multifactor authentication wherever possible.

Also see

A man playing Nintendo Switch.

Image: Getty Images