Nintendo Confirms That Around 160,000 Accounts May Have Been Hacked, Personal Info Possibly At Risk

@MortalKombat2007 Can be used to track down your SSN. Obviously won't work if you lied about the year though.

I wanna add something even though Nintendo have confirmed they’re removing the ability to log in to Nintendo Account via NNID.

In the NNID settings menu on 3DS (likely on Wii U but can’t confirm), on page 3 there is something called “Access from PC and Other Devices”. If you hit restrict that then prevents you (and others) from logging into NNID on as it says PC, Smartphones & before Nintendo killed it, the Switch.

I’d still enable that so it locks down that legacy account system even more to your own personal consoles (3DS & Wii U).

And of course for Nintendo Account, 2FA, strong password, usual stuff. 2FA your email aswell. 2FA everything.

It's more likely to be credential stuffing than an actual hack. Credential stuffing is ridiculously easy and it's fairly trivial to write a bot to automate the process. Just feed it lists from pastebin or wherever and set the target site(s).

Oh, is this how an unknown direct deposit came into my bank account. Please, send more.

I got hacked the other day. someone from the US logged into my account. password has been changed and 2 factor has been used.

@MortalKombat2007 As someone who was a victim of identity theft last year, a lot can be done with someone's name, address and date of birth, especially these days where identity checks are done electronically with no requirement to sign or provide physical ID for most companies. It's a proper pain trying to sort it all out. No financial loss to me personally thankfully, but a huge amount of time spent getting it all sorted.

Right. Surely the victims will be compensated with some of that sweet Animal Crossing profit.

Show us what a sweet and caring company you are, Nintendo. 😘

@JohnnyC
Been there, done that...I mean as a victim. Financial losses can be recovered through the bank. Admittedly, it is annoying not much of a problem unless somebody is stupid enough to let it happen too long. Though, I imagine recovering losses could be much more difficult in certain countries.

This is one of the biggest reasons I prefer physical media. I can hold it in my hand and pay cold hard cash that you cannot track to a specific person. Just don't use credit cards and unlink them and stick to eshop cards.

I don't currently have a smartphone. So thanks I guess Nintendo.

All affected parties will be adequately compensated with Bells.

Fortunaly i already have the two step verification on since i bought my switch three years ago, just for precaution I still regularly check my bank account for any suspicious Nintendo payment

No, no and NO. I should not have to download some googly-stuff to a smartphone in order to secure something that's already supposed to be secured.
It seems that my account was affected (received emails notifying attempts to connect from china, india and more...) cause I used to log with this Nintendo ID method.
But why is there two methods to log, anyway ? What is all this mess ? Nintendo, I love you, but you really need to step up your game with everything online related...

I was a little whiny about using the 2-step verification in the last thread, but with a confirmed data breach everyone's should just get it over and done with if they haven't already. I didn't feel all that jazzed about using Google Authenticator, but Authy was a perfect alternative, and even seems to provide a little more help if you lose your phone.

@Bobobiwan
There's no indication so far that Nintendo have been breached. As I said earlier, it's more likely due to credential stuffing. There's nothing Nintendo can do if people are re-using passwords across sites so it doesn't point to a failure on their part.
The reason I suspect cred stuffing is because it's so prevalent at the moment and if they've got passwords then that's unlikely to have come from Nintendo's internal systems being hacked. Storing passwords in plaintext is a rookie error I wouldn't expect them to make.
Using Google Authenticator isn't ideal, but there are alternatives that can handle it without involving them.

What they haven't addressed is the fact that in the settings menu under security / Login info is the option to only sign in using your Network ID with the follwing in brackets next to it (Recommended). I can't login using my email, only my Network ID based on the recommendation by Nintendo. I would have thought it was easier for the hackers to get access to your email address rather than the Network ID.

Nintendo Life, can i make a suggestion to clear up more confusion (since Nintendo is awful at making it clear).

Whenever you’re giving the 2FA steps, make it clear that Google Authenticator ISN’T the only option (Nintendo does say this but it’s pretty much blink & you miss it).

You can use much better alternatives such as Microsoft Authenticator & Authy, both of which offer cloud backups incase your device breaks or you upgrade your phone, something Google Authenticator does not.

Only say this as on reddit, here, gamefaqs etc, one of the common complaints i see is people moaning about Google Authenticator’s lack of backups if your device dies or that it’s the only thing you can use for Nintendo Account 2FA (which isn’t true).

Luckily, I already enabled two step-verification prior to this. Nintendo network IDs seemed too simple not to be a security loophole. Good luck to those affected.

No breaches to my account that I know of, but I will be changing my password just to be on the safe side. I intentionally don't store any credit card info on my account and rely on loading eShop cards for purchases.

Haven't been affected by this as far as I know. Nintendo's website doesn't show any additional sign-ins on my account and my money has stayed safe. I have linked my PayPal account since that's required if you want to pay via PayPal on Switch but I've never stored credit card information on any of my consoles. Changed my password just in case.

This is why I use temporary credit cards through privacy, they work only one time or I can use one multiple times and lock it down when it's not in use.

I could get 2FA set up too as another layer, just not in the mood for more Google shenanigans. I'm going to check out Authy.

@ryancraddock Why did you use the word "may" in both the title and the article:

"Nintendo Confirms That Around 160,000 Accounts May Have Been Hacked"

"Emails, date of birth and more may have been accessed"

"accounts which use a Nintendo Network ID to log in may have been affected by unauthorised logins"

which implies it's a rumour or it might have happened, when both the enclosed tweet and the Nintendo apology don't use such a qualifier, they just come right out and say it happened? Why are you giving people a false sense of security when Nintendo isn't?

Tweet, no "may" about it:
"Nintendo Co. Ltd. had confirmed that over 160,000 Nintendo Network IDs and accounts have been illegally accessed"

Nintendo, no "may" about it:
"Recently it has come to our attention that login IDs and passwords have been obtained illegally by sources outside our service"

Where did you get the "may" from? Did you check with legal first, covering your behind?

Nintendo didn't hesitate:
We can confirm these actions have occurred.
We can also confirm that there was illegal access to such accounts through the Nintneod Network ID system.

No ifs, ands or buts on Nintendo's part. No "mays" about it.

No surprise. Nintendo's online services are the worst. A blemish on an amazing console experience that people love.

Does this ONLY involve Switch or also includes 3DS and Wii U accounts?

@ryancraddock Thanks. Looks like Nintendo is admitting they were hacked and account information was stolen, and the "may' applies to the number being as high as 160,000 and the information including nickname, DOB, etc.

So I guess it's both. Yes, our (Nintendo) systems have been hacked, and you (us the customers) "may" have been one of those 160,000 and the customers information that was stolen may include but is not limited too DOB, name, etc.".

Interesting how they never mention credit card info yet purchases are being made. I guess it's easy to buy something once the CC is linked w/o having to hack the CC info. I'm pretty sure I've never let any hardware device store my CC info, I keep a Sony card next to all my remotes and controllers, just put it in when I need it. I'm not a big digital purchases, we're almost solely physical or free.

Thanks as always for the clarification.

Why doesn't Nintendo limit number of login attempts per hour?

It sounds hackers are breaking into accounts using brute force.

If you could only try three passwords an hour, it would discourage this kind of thing.

If 160,000 accounts were breached, I would argue that Nintendo needs to do more.

I'm just gunna play my Gameboy advance and snes for the rest of my life. Done with this online bs

@GamerDad66
Brute-forcing 160K+ accounts would take far too much compute time. It's far more likely they're trying to log into each account once with a password scraped from another breach.
That's harder to block because you have to monitor for login attempts against multiple accounts from a single IP address. There's also a question about how you police that. What is an unreasonable number of accounts to be accessed from a single IP address? If you and a few friends are all at your place, using your wi-fi, you'll all have the same external IP address (as your router will handle NAT internally so you all get the correct traffic). There's a risk of annoying legitimate users if you start blocking everyone in the same house.
Also, the scammers can easily set up proxies to ensure they're regularly switching the IP address they're using.

no wonder I got a random login in Russia (obviously it was an IP address that was routed to be in Russia).
I changed that password so fast haha. I even did the 2 step authorization.
but seriously this ain't good. Even if you didn't get an email, change your password and hit logout of all accounts

Oh no, the hackers may have my email address.
Just like the spammers already emailing me.

As long as they don't get my CC info, they're not going to do much, since I don't use the "save my CC" option. If they want to buy me games with their CC, they can.

@Bobobiwan You should be using 2factor authentication for everything from your Nintendo account to your utilities bills. This isnt some special Nintendo thing. Just about every responsible digital payment platform has 2factor options. You can use Microsoft or Authy Authenticators if you dont like Google. Its a fact of the modern age, 2 factor is needed everywhere. If you dont want to use it, thats up to you, but don’t complain if your accounts get taken over. You were given the tools.

@GameOtaku agree plus this isnt as bad like the psn hack fiasco that had over 20,000,000 accounts being compromised reason why to add numbers to your passwords like i do with mine.

There is always someone who has to spit in the punch...

@Late paypal more safer route then typing your credit card info reason my account hasnt been touch cause of paypal that using numbers with letters in my password

@DevlinMandrake I think so too. My sister and a friend also recently got "ransom" phishing emails that mentioned hotmail passwords they probably got from a pastebins. It seemed odd to me that at the same time Nintendo was getting this issue. They're probably just targeting old services.

This may speed up Nintendo's discontinuation of the 3DS and Wii U servers.

@nab1
Yeah, it's ridiculously common because breached lists of username/e-mail + password combinations are all over the place.
Also, it doesn't require much in the way of technical knowledge to set it up. I've not looked but I bet there are loads of open-source autologin software available on GitHub, for instance.

@RiasGremory
Putting numbers in your password doesn't make it any safer, nor harder to brute-force. A secure password is all about length, nothing else. Also, if your password gets breached because someone stored it in plaintext and then got hacked (or your device is hit by a keylogger) it's completely irrelevant how "strong" your password is.

I don't really have anything for a hacker to steal on my nintendo account honestly and I'm surely not stupid enough to leave my card details on any online account including psn, I use vouchers for anything digital.

It's grotesque that people are actually accepting 2FA as a solution for anything, ever. It's a disastrous scheme that should not ever be used under any circumstance, ever that mostly provides false security, is more likely to lock you out of your own account than your account getting hacked, and requires alternate devices to be present any time you need to log into anything. It's not a solution, it's a greasy bandaid you found on a park bench.

It helps with "password stuffing" at best, but actual network compromises, it merely causes the actual user endless headaches, high risk of being locked out of their legitimate account, and does NOTHING about access from an actual hack. Not a solution. Just busy work so you can "feel safe."

Just for the handful of things that require 2FA I'm tired of having to confirm about 5 different things every single day of my life, knowing that when a real breach happens, it was all for nothing anyway.

@DevlinMandrake Sony stored passwords in plaintext (or close enough) back during their hack. Never overestimate Japanese data security. That wasn't a "hack" so much as back door access from an internal PC that was hacked.

Still, for this hack, it seems like a strangely limited number of accounts were at risk. NoA hasn't sent out any kind of broad notice. Not sure what the differentiating factor is. Anyone with a yearly NSO sub has to have payment on file, but also needs MyNintendo, not NNID.

I can see the future...

Thank for logging onto Nintendo Online , please enter your mobile code from your mobile device. Now, please enter you email code from your email. Now please login into to security.net to obtain a security code.

Welcome to security.net, please verify your identity from Google's Security App on you mobile device.

Now please call (XXX) XXX - XXXX. Thank for calling security.net., we are sorry but our lines are busy. Please try again later.

Well my password is a mix of letters, capitalization, numbers, curse words (in two or three languages), and symbols so unless they don't want to be mock they better mind their own freaking business.

@NEStalgia
I think it's a bit of stretch to claim that because Sony had bad security it's a Japanese thing. Sony happen to be a Japanese company, but bad security is all over the place.
The reason I'm leaning towards it being a credential-stuffing breach is because of the limited number affected (that we know of so far) and because it's more common and easier to implement than sophisticated hacks.
EDIT: Also, your comments on MFA are pretty ridiculous. The entire point of MFA is to ensure that you're not relying simply on a username/password combination. Using an authentictor app (or phonecall) means that any attacker needs to compromise your local device as well as hacking the central system. That makes it orders of magnitude harder to carry out at scale. The only way MFA is a threat is if it's badly implemented but that's like saying that because there are bad builders out there nobody should ever build anything.

@NEStalgia For NSO subscription, the only thing that requires credit/debit cards or Paypal connected to your Nintendo Account are the free trials (naturally intended so Nintendo gets extra subscriptions from people who forget to cancel the auto-renew). For actual paying for the subscription you can just use those prepaid eshop cards or prepaid NSO subscription card.

@GameOtaku I agree with you Ryoko 😉

@Grumblevolcano

@DevlinMandrake Japanese companies have been overall behind in data security for quite a long while. Yes, bad security is clearly everywhere, but Japan has been famously behind in that regard, in part because they generally haven't been as involved in large public access data systems outside Japan nearly as much as other countries until recently.

MFA is rediculous. It puts the onus of security onto the user in a way that's impractical and defeats most of the convenience created by digital systems to begin with, while simultaneously NOT actually protecting the data within the network, only mitigating the risk of non-local access. Maybe not for the user that just logs into Facebook and Playstation now and then but in professional environments where you're logging into dozens of applications and systems daily that means dozens of confirmations of these 2FA schemes daily and it means having a cell phone or some other device strapped to your person at all times, without fail, or having no access to any of your systems. It breaks everything that was intended to be convenient about the internet. It's only beneficial for stuffing, brute forcing, "script kiddie" type attacks, but offers no protection against actual internal data breaches, whatsoever. It's a lot of work for a solution that doesn't even solve the problem.

@NEStalgia Huh? I never did a free trial and it always required, at least when I signed up, a built-in PayPal account (fortunately PayPal and not a CC, though it sounds like neither was compromised here, anyway). I can try to unlink it, but I wonder if that will just make the annual sub fail?

@DevlinMandrake There is plenty of indication nintendo is at fault. There are people who reported changing their password and an hour later their accounts were still getting broken into. If this was password fishing from some list, that wouldn't happen. I also didn't have a NNID attached to my account and I still got hit with this.

@crossmr
All that tells is is that it's likely NNID isn't the source. As to repeated breaches, if people are using a compromised device to change the password they'll remain compromised. Likewise, if they're doing stupid things like just incrementing the number at the end of their password then it won't help either. I've got software here for cracking admin credentials on database files. There's an option to try common variants of passwords built in to it.
Anyway, I'm not married to the theory of credential-stuffing, it just made most sense based on available information. With any breach you've got to be prepared to re-evaluate as more information becomes available.

@NEStalgia
Do you have anything you can cite that shows Japan lagging on data security? It's not something I've heard of before so I'd be interested if you can supply any corroboration for that statement.
Not that interested though, as you clearly don't understand MFA.
The onus for securing your own data is always on the user. Whether that means not giving it to dodgy sites or ensuring you use strong passwords or enabling MFA.
MFA reduces the risk of a centralised breach affecting users. The password is useless without the additional authentication factor.
Also, phone apps aren't the only available authentication factors. USB dongles have been around for years.
Security always has to be balanced against convenience. For a site like this one, MFA is pointless because it's not securing anything particularly sensitive or valuable. For an online account that handles cash transactions it's much more imperative to secure it properly.
Also, I feel for you if your job requires you to use overly onerous authentication, but that sounds like they're doing security wrong.
If you're having authentication problems I feel bad for you son,
I've got 99 problems but MFA ain't one.

@Bobobiwan "I should not have to download some googly-stuff to a smartphone in order to secure something that's already supposed to be secured."

That's like saying you shouldn't have to carry a set of keys in order to secure your belongings. If you think maintaining secure online access with an authenticator is too inconvenient, then ask yourself how inconvenient it would be to have to clean up after a hacker gained access to one of your accounts. Suddenly the "inconvenience" of occasionally entering a randomly generated security code doesn't seem so bad.

@DevlinMandrake I'll have to do some digging for some of the fun reads on Japanese data security. It would be humorous if it weren't sad. Don't get me wrong, I love Japan. But their data industry is.....frankly, bad.

MFA does nothing to help with a centralized breach as actual breaches involve accessing data outside of user level credentials. Take, for example, the Sony hack as one such example. The the database was directly accessed. The CC information tables were dumped directly from the inside. User level credentials were taken, but they had no value. The valuable information was obtained regardless. Same for the Adobe breach, the various US & state level government breaches, etc. etc. It protects you from credential stuffing and brute forcing but it doesn't do anything to protect from the real serious breaches. It's like putting 20 deadbolts and biometric sensors on the front door, meanwhile there's a screen door on the back.

USB dongles are fine (so long as backups can exist, and account recovery is possible if all hard backups fail, a common failing in cloud service MFA solutions, and are fine for corporate security. I separate corporate security and cloud services in terms of what viable methods are. Things that expect PCs with somewhat fixed, secured mechanisms like dongles work for corporate. For cloud where consoles, phones, someone else's PC, tablets, Rokus, and various other things may need access at any time, solutions like that don't work, but neither does needing to grab a phone (that can be lost, stolen, itself compromised, or its own accounts fail due to circular MFA mechanisms, it doesn't really work. MFA needs to go away for cloud services. We could have stuck with private keys from the beginning, but no, we went with passwords, built a way of life around it, and now want myriad half broken non-standard private key systems in place ALONG with passwords.

And along with all of that is the fact that most of the public doesn't actually understand much of what's going on with any of that, and recommending enabling MFA to them is setting themselves up to be locked out of their own data.

If it tells us anything it's that cloud accounts and data were a stupid idea to begin with. The selling point was convenience and reliability, which is now less convenient and less reliable than maintaining your own local data storage. (Corporate, credentials are a somewhat different animal since it's mostly part of a closed environment. Though the more corporate turns to cloud solutions the more ridiculous 2FA schemes are used. And most of them are still SMS/email based.

@RiasGremory "...reason why to add numbers to your passwords like i do with mine."

The very safest passwords are long (15+ character) and completely random containing upper and lowercase letters, numbers, and symbols. Of course those are difficult to enter and impossible to memorize, which is why a good password manager like KeePassXC is invaluable so you can simply copy and paste your credentials.

The next best passwords are long phrases, because length is more important than complexity. For example, a password like "all gerbils have sticky fur" is more secure than something like "F1r3Bug!" simply because of its length (we're talking hours versus centuries for a pure brute force attack), and a simple phrase is much, much easier to remember and type.

@NEStalgia
Totally agree about the flaws with cloud computing, it's putting all your data on somebody else's computer and trusting their security. Not to mention the associated problems with vendor lock-in.
However, that's not an argument against MFA.
The Adobe one is a good example. MFA would have mitigated the risks to end-users of having their passwords breached in plaintext (or encrypted with obsolete hashing mechanisms). It won't do anything about CC details or similar being stolen from the central servers, but if they're stored in transit or at-rest in plaintext then that's a massive PCI-DSS violation which result in the company in question losing the ability to handle CC transactions.
MFA is purely to stop the end-user's account being accessed by another user. It won't stop anything else, but then it's not designed to.
And yes, phones can be lost/stolen/compromised but that's why you rely on multiple factors. Defence in depth is at the basis of all security, physical or otherwise. MFA makes it harder, not impossible. In the same way that the lock(s) on your front door act as a deterrent, but nothing else. A crowbar will get you straight in if you don't mind being noisy and obvious.
Also, and this is a big point, MFA acts to protect against users reusing the same credentials everywhere. So many people do it that something like MFA becomes necessary.
A company can put the most stringent security imaginable in place (ISO compliant stuff) and yet if a user writes their credentials on a post-it note it's all for nothing. MFA helps mitigate that. It's not a panacea, but anyone claiming that is a snake-oil salesman anyway.
At the end of the day, you have to weigh up security vs convenience and that's an individual decision. It's a mistake to write off MFA just because you find it inconvenient though.

@DevlinMandrake The passwords don't matter. It's the CC data that matters, as well as just the PII that they get with or without MFA. Who cares if someone gets the passwords? They're worthless if what they were protecting is compromised. Account access by a third party is usually not what we're talking about or worried about in these breaches. Sure a hijacked account means getting locked out (and if there's on-file payment information that means getting billed for purchases until you close it down) but that's not the usual shape of these breaches, it's the birth date, SSN, CC number ,etc being compromised that is the most common and more serious risk we're normally talking about.

In the case of Switch, having to go grab your phone to enter a key after entering your password every single time you want to browse what the eShop has would be ridiculous.

Now, if we're talking re-using passwords, if you need the annoying complexity of MFA to protect you from the colossal stupidity of re-used passwords, that's a whole other mess. Yeah, if I were going to use one password for everything I'd need something else to....well lets face it, it's not 2FA at that time, it's really one factor. The password is little more than a second user name name at that point. That's a very different situation where you're using "push passwords" as a replacement for real passwords more than a second factor.

Technically this all could have been fixed by using a hardware analogue of real keys and a physical or wireless reading system before building out "web 2.0" back in the 90's. USB made that easy enough. Keep a private key on hardware keys you can copy as much as you want. Boom, done, and everyone could have easily understood how to use it. Many of us were pushing for that, including for email encryption with PGP and the like in the day. But no, the NSA had to get in the way....how dare someone want to protect data and keep them away from the ability to access it over the wire! Then we just got "web 2.0" built atop that.

At the end of the day MFA is a bad workaround that still leaves the screen door open around back, does little to nothing to protect the actual sensitive information you're trying to protect in the event the remote network is genuinely breached rather than individual user accounts, and still risks locking yourself out of your own accounts/products without recourse, to help mitigate someone else walking in the front door while leaving the back screen open. Sure, it's a "better than nothing" alternative for actual unique, secure, high entropy passwords, if someone chooses not to use one. It does satisfy the "something you have" aspect of security, but due to a lack of standarization and universal input for that, it's a very very crude way of doing something like that for what amounts to doubling down on what should already be a high entropy password. And if the remote network is so weak on security that a brute force attack really could work for a volume of users, I would think getting in on the back end would be a lot easier than trying to brute force every account anyway. Why mess with logins when you can get at the user tables directly?

@JohnnyC no financial loss because anything financial will need more verification like you sent number or license number.

160k hacks is nothing compared to what so y deals with all the time and no they don't necessarily have more accounts. Even if they do it's no more than double Nintendo's and Sony gets hack in the millions.

@Dirty0814 No, no financial loss because I contacted all the companies whose credit cards he set up fraudulently in my name and told them the debt he racked up had nothing to do with me. A hassle I could have done without.

@Dezzy lmao not even old people are this behind

Hack or Hek in dutch translates to a fence.

There, write that down somewhere and use it at parties and social gatherings to impress people about how worldly you are.

@TheLightSpirit depends how tight the security is around paypal since we have lots of firewalls plus sophisticated passwords as well.

I'm both appalled and completely unsurprised (I work in tech support) so many people still don't use 2FA.
sigh

@Wizardling This.

Honestly it's sad people got compromised, but it's not all on nintendo either. They provided better security options, nots not entirely their fault if users didn't use them. It's like locking the standard lock on your door but not using deadbolt as well. the door is only half locked.

Maybe they should do the 2FA with their otherwise useless phone app? Facebook, Google, and others use this kind of setup... Supposedly more secure than SMS but I'm no techie so not sure why that might be.

Waaaait... Someone was trying to get into my Experian account before the news hit...

So Ninty will contact us if our account has been hacked?
Can't we just check our banks to see if money has gone out?

I am not gonna do that, Nintendo is responsible for this, they should improve their security, not asking us to do something. Please learn from PSN, close the eShop, fix the problem and reopen.

@Dezzy ya this is not the right way to fix this problem, asking us to do this ridiculous steps. Nintendo should learn from Sony, close the eShop, fix the damn problem, give free game when reopen.

I had credit card fraud where 500€ whas spend in brazil (never been there) a day later my bank send it back to me.

@tka060681 theres nothing for nintendo to fix, none of their services were breached

@LethalX08 Thx for the tipp. i can confirm this works on the WiiU. Did it today myself.

@SSJW I thought the username & NNID were one and the same, apologies.