Nintendo said over 160,000 accounts have been hacked, due to attackers abusing a legacy login system.
Over the past few weeks, Nintendo gamers have been reporting suspicious activities on their accounts. According to the complaints, aired out on Twitter and Reddit, unauthorized actors were logging into victims’ accounts and abusing the payment cards connected to the accounts to buy digital goods on Nintendo’s online stores, such as V-Bucks, in-game currency used in Fortnite.
In a Friday statement, Nintendo said that attackers have been abusing its NNID (Nintendo Network ID) legacy login system since the beginning of April to hack into the accounts. NNID was primarily used for the Nintendo 3DS handheld and Wii U console (both now discontinued). This is different from a Nintendo account, which is used for the Nintendo Switch (Nintendo’s most recent gaming console, released in 2017).
A NNID can be linked to a Nintendo account and used as a login option. If attackers were able to access a linked NNID, they could then access the linked Nintendo account. From there, they’d have access to payment methods (via PayPal or payment cards) necessary for making in-game purchases.
Nintendo did not provide further detail about how attackers had accessed NNID accounts other than to say they were “obtained illegally by some means other than our service.” It has now disabled the ability to log into a Nintendo account using NNID.
In response to recent incidents related to some Nintendo Accounts, it is no longer possible to sign into a Nintendo Account using a Nintendo Network ID. We apologise for any inconvenience caused. Please visit our Support website for more information: https://t.co/GMrXr5OHW0
— Nintendo UK (@NintendoUK) April 24, 2020
Attackers may have also been able to access users’ nicknames, dates of birth, countries and email address information, all of which were associated with the NNID, Nintendo warned. Credit card data was not accessed.
The Japanese consumer electronics giant said it is also resetting passwords for the affected accounts – but it also advised players to set up two-factor authentication to add another layer of security to their accounts.
“Users will be notified by email to reset your Nintendo Network ID and Nintendo account,” according to the translated version of the statement. “If you have already logged into your Nintendo account via your Nintendo Network ID, please log in using your registered Nintendo account email address or login ID.”
Beyond the massive install base of almost 20 million (for Nintendo Switch), the gaming community as a whole is a lucrative target for cybercriminals.
The discovery of leaked source code for two popular games – Counter-Strike: Global Offensive (CS:GO) and Team Fortress 2 – this week led to security concerns and even calls for gamers to uninstall the software from their computers In 2019, for instance, researchers warned of a ransomware family, “Syrk,” targeting Fortnite’s enormous user base, purporting to be a game hack tool.
Threatpost has reached out to Nintendo for further comment on the hacks.
“We sincerely apologize for any inconvenience caused and concern to our customers and related parties,” according to Nintendo. “In the future, we will make further efforts to strengthen security and ensure safety so that similar events do not occur.”