It appears that hackers have taken advantage of vulnerabilities surrounding legacy accounts. Before the current account system for Switch and other newer devices was introduced, the company used Nintendo Network ID (also known as NNID) for platforms such as the Wii U and 3DS. These accounts were set up using original screen keyboards, which made it harder to create strong passwords — the current system, meanwhile, allows accounts to be created on a web browser. The bigger problem, however, is that while NNIDs are now a thing of the past, they may still be linked to users’ new accounts. As such, hackers may only need only get into a questionably-secured NNID in order to access a newer account, and the PayPal funds associated with it.
Nintendo has gone straight to the source of the issue and shut down NNIDs completely. In a statement, the company announced it has “abolished the function of logging in to a Nintendo account via NNID,” noting that “passwords will be reset sequentially for NNIDs and Nintendo accounts that have been illegally logged in.”
Nintendo UK later issued a statement on its support site: “We would like to provide an update on the recent incidents of unauthorised access to some Nintendo Accounts. While we continue to investigate, we would like to reassure users that there is currently no evidence pointing towards a breach of Nintendo’s databases, servers or services. As one action in our ongoing investigation, we are discontinuing the ability to use a Nintendo Network ID to sign in to a Nintendo Account. All other options to sign-in to a Nintendo Account remain available.” US users can find a statement and FAQ here.
Console owners — affected by the hack or otherwise — are now being told to enable two-factor authentication (2FA) on their accounts. It’s a straightforward process that provides a robust layer of security, and will can prevent hackers accessing accounts via legacy means like old NNID credentials.
Nintendo has said that it will immediately refund any fraudulent purchases made, but the company has faced some backlash for the way it’s handled the breach. Firstly, it appears that is has been aware of this type of attack for some time, but has only issued guidance after the breach became more widespread. Secondly, its first statement on the situation advised customers to set different passwords for NNID and Nintendo accounts before making a brief mention of 2FA.
Nonetheless, the attack highlights the pervasive security issues associated with legacy accounts. Users will link existing accounts to newer ones for reasons of convenience without necessarily recognizing the potential consequences of doing so. If they don’t implement 2FA, they’re left vulnerable. But many would argue that a company the size of Nintendo should have been aware of these risks, and are therefore responsible for taking more proactive measures to mitigate them.
Update - 4/24/20 9:30am ET: This article has been updated to include an English language statement from Nintendo UK.