Nintendo blocks legacy logins after 160,000 accounts were compromised (update)

Nintendo has shut down NNID logins and is encouraging Switch owners to lock down their accounts after a wave of fraudulent attacks. Nintendo itself has confirmed that the platform has fallen foul of hackers, who are accessing accounts and using linked PayPal accounts to make expensive digital purchases. Some reports suggest the attacks have been going on for weeks, but have ramped up in the last few days.

According to Ars Technica, victims will receive a plain-text email notice from Nintendo, advising them of a new sign-in and including details of the time, approximate location and device used to access the account. Nintendo says that some 160,000 accounts have been targeted, with private details such as nicknames, email addresses, dates of birth and gender potentially viewed by third parties. The company has confirmed that while purchases have been made via Nintendo accounts, credit card data was not accessed.

It appears that hackers have taken advantage of vulnerabilities surrounding legacy accounts. Before the current account system for Switch and other newer devices was introduced, the company used Nintendo Network ID (also known as NNID) for platforms such as the Wii U and 3DS. These accounts were set up using original screen keyboards, which made it harder to create strong passwords — the current system, meanwhile, allows accounts to be created on a web browser. The bigger problem, however, is that while NNIDs are now a thing of the past, they may still be linked to users’ new accounts. As such, hackers may only need only get into a questionably-secured NNID in order to access a newer account, and the PayPal funds associated with it.

Nintendo has gone straight to the source of the issue and shut down NNIDs completely. In a statement, the company announced it has “abolished the function of logging in to a Nintendo account via NNID,” noting that “passwords will be reset sequentially for NNIDs and Nintendo accounts that have been illegally logged in.”

Nintendo UK later issued a statement on its support site: “We would like to provide an update on the recent incidents of unauthorised access to some Nintendo Accounts. While we continue to investigate, we would like to reassure users that there is currently no evidence pointing towards a breach of Nintendo’s databases, servers or services. As one action in our ongoing investigation, we are discontinuing the ability to use a Nintendo Network ID to sign in to a Nintendo Account. All other options to sign-in to a Nintendo Account remain available.” US users can find a statement and FAQ here.

Console owners — affected by the hack or otherwise — are now being told to enable two-factor authentication (2FA) on their accounts. It’s a straightforward process that provides a robust layer of security, and will can prevent hackers accessing accounts via legacy means like old NNID credentials.

Nintendo has said that it will immediately refund any fraudulent purchases made, but the company has faced some backlash for the way it’s handled the breach. Firstly, it appears that is has been aware of this type of attack for some time, but has only issued guidance after the breach became more widespread. Secondly, its first statement on the situation advised customers to set different passwords for NNID and Nintendo accounts before making a brief mention of 2FA.

Nonetheless, the attack highlights the pervasive security issues associated with legacy accounts. Users will link existing accounts to newer ones for reasons of convenience without necessarily recognizing the potential consequences of doing so. If they don’t implement 2FA, they’re left vulnerable. But many would argue that a company the size of Nintendo should have been aware of these risks, and are therefore responsible for taking more proactive measures to mitigate them.

Update - 4/24/20 9:30am ET: This article has been updated to include an English language statement from Nintendo UK.