Latest in Gaming

Image credit: Wachiwit via Getty Images

Nintendo blocks legacy logins after 160,000 accounts were compromised (update)

Hackers used insecure legacy accounts to access PayPal funds.
479 Shares
Share
Tweet
Share

Sponsored Links

Bangkok, Thailand - October 31, 2017 : A man playing Nintendo Switch.
Wachiwit via Getty Images

Nintendo has shut down NNID logins and is encouraging Switch owners to lock down their accounts after a wave of fraudulent attacks. Nintendo itself has confirmed that the platform has fallen foul of hackers, who are accessing accounts and using linked PayPal accounts to make expensive digital purchases. Some reports suggest the attacks have been going on for weeks, but have ramped up in the last few days.

According to Ars Technica, victims will receive a plain-text email notice from Nintendo, advising them of a new sign-in and including details of the time, approximate location and device used to access the account. Nintendo says that some 160,000 accounts have been targeted, with private details such as nicknames, email addresses, dates of birth and gender potentially viewed by third parties. The company has confirmed that while purchases have been made via Nintendo accounts, credit card data was not accessed.

It appears that hackers have taken advantage of vulnerabilities surrounding legacy accounts. Before the current account system for Switch and other newer devices was introduced, the company used Nintendo Network ID (also known as NNID) for platforms such as the Wii U and 3DS. These accounts were set up using original screen keyboards, which made it harder to create strong passwords — the current system, meanwhile, allows accounts to be created on a web browser. The bigger problem, however, is that while NNIDs are now a thing of the past, they may still be linked to users’ new accounts. As such, hackers may only need only get into a questionably-secured NNID in order to access a newer account, and the PayPal funds associated with it.

Nintendo has gone straight to the source of the issue and shut down NNIDs completely. In a statement, the company announced it has “abolished the function of logging in to a Nintendo account via NNID,” noting that “passwords will be reset sequentially for NNIDs and Nintendo accounts that have been illegally logged in.”

Nintendo UK later issued a statement on its support site: “We would like to provide an update on the recent incidents of unauthorised access to some Nintendo Accounts. While we continue to investigate, we would like to reassure users that there is currently no evidence pointing towards a breach of Nintendo’s databases, servers or services. As one action in our ongoing investigation, we are discontinuing the ability to use a Nintendo Network ID to sign in to a Nintendo Account. All other options to sign-in to a Nintendo Account remain available.” US users can find a statement and FAQ here.

Console owners — affected by the hack or otherwise — are now being told to enable two-factor authentication (2FA) on their accounts. It’s a straightforward process that provides a robust layer of security, and will can prevent hackers accessing accounts via legacy means like old NNID credentials.

Nintendo has said that it will immediately refund any fraudulent purchases made, but the company has faced some backlash for the way it’s handled the breach. Firstly, it appears that is has been aware of this type of attack for some time, but has only issued guidance after the breach became more widespread. Secondly, its first statement on the situation advised customers to set different passwords for NNID and Nintendo accounts before making a brief mention of 2FA.

Nonetheless, the attack highlights the pervasive security issues associated with legacy accounts. Users will link existing accounts to newer ones for reasons of convenience without necessarily recognizing the potential consequences of doing so. If they don’t implement 2FA, they’re left vulnerable. But many would argue that a company the size of Nintendo should have been aware of these risks, and are therefore responsible for taking more proactive measures to mitigate them.

Update - 4/24/20 9:30am ET: This article has been updated to include an English language statement from Nintendo UK.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
479 Shares
Share
Tweet
Share

Popular on Engadget

Texas Instruments makes it harder to run programs on its calculators

Texas Instruments makes it harder to run programs on its calculators

View
Samsung Galaxy Note 20 leaks hint at giant screens and S20 Ultra features

Samsung Galaxy Note 20 leaks hint at giant screens and S20 Ultra features

View
Space Station receives the last of NASA's science racks after 19 years

Space Station receives the last of NASA's science racks after 19 years

View
Astronomers spot a strange, first-of-its-kind asteroid near Jupiter

Astronomers spot a strange, first-of-its-kind asteroid near Jupiter

View
Hacked NES Power Glove controls a modular synth with finger wriggles

Hacked NES Power Glove controls a modular synth with finger wriggles

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr