Nintendo shut down NNID logins back in April after it discovered hackers had compromised some 160,000 accounts using legacy credentials. Now, the company says that figure may have totalled 300,000. In a Japanese language statement posted today, Nintendo says that in continuing the investigation, it found “approximately 140,000 additional NNIDs" that were vulnerable to being accessed maliciously. It also clarified that the issue was not the result of a direct Nintendo breach, but rather customers using the same passwords in multiple places. Those compromised on other platforms were likely sold or harvested from the dark web.
By taking advantage of vulnerabilities surrounding legacy accounts, hackers were able access newer accounts, and subsequently the PayPal funds associated with it. While credit card information was not directly accessible, hackers were able to exploit their access to these PayPal accounts to make fraudulent purchases for newer systems (like the Switch) that were linked via legacy logins. Details such as nicknames, email addresses and dates of birth were also potentially viewed by third parties.
Nintendo went straight to the source of the problem and shut down NNIDs completely, assuring customers that it would refund fraudulent purchases and — eventually — encouraging users to sign up to two-factor authentication. In today’s statement, Nintendo says that fewer than one percent of the NNIDs that were vulnerable could actually be used to make fraudulent transactions. Passwords for the additional 140,000 accounts have been reset and their owners contacted, and the company says it's “taking additional security measures.” It’s not specified exactly what these are, though.
Nintendo was hit with criticism for the way it originally handled the situation, with many accusing the company of not acting fast enough, and failing to provide proper guidance to those affected. But the conclusion that the issue stemmed largely from users’ repetitive password use is a teachable moment for everyone when it comes to practising good password hygiene.