According to a report from BBC News, Spanish police recently arrested a man in the southern province of Malaga who illicitly obtained personal information on over 4,000 "Nintendo users" -- assumedly gamers who made purchases on the Wii and DSi Stores. The man reportedly warned Nintendo that he would contact the country's data protection agency and reveal the gaps in Nintendo's defenses -- though it's unclear whether the info was obtained directly through Nintendo or a third-party source. After Nintendo failed to respond to him, he reportedly began to leak the info onto the internet.
We've contacted Nintendo for a comment on the BBC report, but don't have our fingers crossed as this is still an ongoing investigation. Maybe we should contact this incarcerated hacker to get Nintendo's comment, since he's apparently capable of getting all up in their infos.
Update: According to a report on El Mundo, the hacked data in question didn't come from one of the console-based services, but a website for upcoming 3DS preview events. ElOtroLado user adan_gecko discovered a vulnerability allowing any user to see or even modify the list of people who signed up for more information. He said that he reported this vulnerability to Nintendo, and this appears to be the infraction in question. Thanks to Elideb for the extra information.