Nintendo have shared some more details about the Nintendo Network ID incident that occured earlier this year (see this post for more details). After additional investigation, it was found out that the total number of accounts impacted by this incident was higher than initially reported: 140 000 additional accounts may, so about 300 000 accounts in total.
Naturally, Nintendo have reset the password of these 140 000 Nintendo Network IDs, as well as the Nintendo Accounts they may have been linked to. The company also specifies that additional security measures have been taken to avoid a repeat of this incident (but does not specify what exactly).
It’s estimated that less than 1% of all Nintendo Network ID that were impacted by this incident were then used to make unauthorized purchases via the linked Nintendo Account. Nintendo is still in process of offering refunds to users that were impacted by this, though as of today, most refunds have already been processed.
Over the past few weeks, there has been many reports of users having their Nintendo Accounts hijacked, with hackers using them to make unauthorised purchases. The causes of that large scale incident were rather unclear, as it’s only today that the company released an official statement on the issue.
That statement confirms what some users and outlets had already discovered: the issue lies with the Nintendo Network ID, when it’s linked to a Nintendo Account. Basically, once the Nintendo Network ID was compromised, hackers used it to log-in to the Nintendo Account (if Two-Factors Authentification was not enabled), and then made the unauthorised purchases using the Nintendo eShop funds and/or registered credit card/PayPal account.
Unfortunately, Nintendo do not really explain how the Nintendo Network IDs were compromised in the first place, and simply states that it was not from one of their services. They did provide additional details about the incident, though:
Nintendo Network ID
- about 160 000 accounts impacted by unauthorised log-in;
- info viewed by third-parties via this unauthorised log-in: Nickname, date of birth, country / region, email address.
- info viewed by third-parties via this unauthorised log-in: Name, date of birth, gender, country / region, email address. No Credit Card information was leaked as a result of this incident.
In light of this incident, Nintendo have announced that, starting today, you can no longer log-in to your Nintendo Account using the Nintendo Network ID tied to your account. Also, Nintendo are going to start resetting the passwords to both the Nintendo Network ID and the Nintendo Account of users who may have been impacted by this issue (which implies that not all users will have their passwords reset).
Nintendo will notify impacted users by email, urging them to reset their Nintendo Network ID and Nintendo Account passwords. Naturally, they strongly recommend against reusing the same password on multiple services, which is basic account security (and not just for Nintendo services). Of course, you cannot just reuse the same passwords as before, or your account will be compromised again. Naturally, both the Nintendo Network ID and the Nintendo Account need to have a different passwords.
If your accounts have been compromised, and unauthorised purchased have been made, contact Nintendo so that they can investigate. They will then cancel the purchase(s) and proceed to offer a refund. Of course, this will take some time as they are going to deal with support requests as they receive them, and unfortunately, quite a lot of accounts have been compromised.
To avoid any issues in the future, even if you are not impacted by this incident, Nintendo strongly recommend you activate Two-Factors Authentification (click here). That way, even if someone ends up with the password to your account, they should not be able to do anything. If you really want an extra layer of security, make sure to remove all credit card / PayPal info from your account, and only use Nintendo eShop cards to add funds to your account.
Nintendo pledge to continue their efforts to strengthen the security of their services, in order to avoid similar incidents from occuring in the future.
Here’s an official statement from Nintendo of Europe:
We would like to provide an update on the recent incidents of unauthorised access to some Nintendo Accounts.
While we continue to investigate, we would like to reassure users that there is currently no evidence pointing towards a breach of Nintendo’s databases, servers or services. As one action in our ongoing investigation, we are discontinuing the ability to use a Nintendo Network ID to sign in to a Nintendo Account. All other options to sign-in to a Nintendo Account remain available.
As a further precaution, we will soon contact users about resetting passwords for Nintendo Network IDs and Nintendo Accounts that we have reason to believe were accessed without authorisation.
In addition, we also continue to strongly encourage users to enable two-step verification for their Nintendo Account as instructed here: How to set-up two-step verification for a Nintendo Account.
If any users become aware of unauthorised activity, we encourage them to take the steps outlined in the article about the Nintendo Account recovery process.
During the investigation, in order to deter further attempts of unauthorised sign-ins, we will not reveal more information about the methods employed to gain unauthorised access.
We apologise for the inconvenience and concerns caused to our customers, and we will continue working hard to safeguard the security of our users’ data.