Brute Force Attack on Nintendo Fan Site Yields Data on 25K

Hackers staged a brute force attack against Ninetendo for nearly a month, resulting in the breach of nearly 25,000 gamers’ information.

Hackers executed a coordinated attack, hitting servers belonging to the popular gaming company Nintendo hard for nearly a month, resulting in the breach of information of nearly 25,000 gamers.

The brute-force attack targeted Club Nintendo, a fan/membership site run by the Kyoto-based company. From June 9 to July 4, hackers tried to brute force 15 million login attempts – 15,457,485 to be exact – out of which 23,926 worked. According to a translated press release initially released Friday but updated today. The hack was discovered a week ago, on July 2, after an “access error occurred” that revealed a mass login attempt.

The hackers appear to have used a list of logins and passwords obtained from a third party service associated with Club Nintendo, although at this point it’s unclear what that service was and how that list was acquired.

According to the press release, users’ names, addresses, telephone numbers and email addresses have been compromised in the breach. Users’ financial information is safe at the moment though as the company doesn’t process gamers’ credit card information on its Club Nintendo site.

It’s not known at this point whether affected users have had any personal information connected to the accounts tampered with. Fans of Nintendo games and consoles generally use the site to register products and complete surveys to earn credits or coins, which in turn can be redeemed for rewards and limited edition items.

Email requests for comment sent to Nintendo on Tuesday weren’t immediately returned but the company’s spokesperson Yaguhiro Minagawa spoke to Network World yesterday, claiming the brute force attacks were limited to Japanese accounts.

Club Nintendo is open to users worldwide, but has about four million users based in Japan.

Per usual, Nintendo went ahead and suspended the accounts and passwords of those affected and urged users to change their passwords.

The breach sounds similar to a mass attack aimed at Sony’s Playstation Network (PSN) two years ago. The company was fined several hundred thousand dollars earlier this year after an attack on one of the company’s databases in 2011 took down PSN for weeks, affected 100 million customers and triggered a chain of security foibles at Sony, their Playstation Network and Sony Online Entertainment.

It was only last week that we learned that hackers were able to leverage a hole in the website of another gaming company, Ubisoft, to gain access to users’ logins, email addresses and encrypted passwords.

Suggested articles