Connect with us
Advertisement

News

‘Unauthorised access to some Nintendo Accounts’ more widespread than it first appeared

In a post on its support site, Nintendo admits that “unauthorised access to some Nintendo Accounts” has occurred, but insists that no Nintendo servers or databases were breached.

Published

on

Nintendo Accounts breach 2020
Nintendo

In a post on its support site, Nintendo admits that “unauthorised access to some Nintendo Accounts” has occurred, but insists that no Nintendo servers or databases were breached.

The first rule of an information security breach is that you tell everyone who has been impacted as early as possible.

And this isn’t some “first rule of Fight Club” stuff. These are the rules laid out by numerous regulatory bodies around the world. But for the sake of being specific to the jurisdiction in which Thumbsticks finds itself, we’ll refer to GDPR (General Data Protection Regulations) and the ICO (that’s the Information Commissioner’s Office, the regulatory body that polices such things) and their guidelines on reporting breaches.

Advertisement
  • The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
  • If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.

So in a circumstance where user accounts or data have been breached, then the organisation must report it to the ICO within 72 hours, and must report it to individuals potentially impacted – in this case, “rights and freedoms” relates to personal data and the potential for financial loss – without any “undue delay”.

Given that people have (anecdotally) been complaining of breaches to their Nintendo Accounts for a couple of weeks now, including unauthorised purchases that haven’t been refunded, that’s not looking very good for Nintendo. The developer and publisher has only today (April 24, 2020) issued a statement about the “unauthorised access to some Nintendo Accounts,” which reads as follows:

We would like to provide an update on the recent incidents of unauthorised access to some Nintendo Accounts.

While we continue to investigate, we would like to reassure users that there is currently no evidence pointing towards a breach of Nintendo’s databases, servers or services. As one action in our ongoing investigation, we are discontinuing the ability to use a Nintendo Network ID to sign in to a Nintendo Account. All other options to sign-in to a Nintendo Account remain available.

Advertisement

As a further precaution, we will soon contact users about resetting passwords for Nintendo Network IDs and Nintendo Accounts that we have reason to believe were accessed without authorisation.

In addition, we also continue to strongly encourage users to enable two-step verification for their Nintendo Account as instructed here: How to set-up two-step verification for a Nintendo Account.

If any users become aware of unauthorised activity, we encourage them to take the steps outlined in the article about the Nintendo Account recovery process.

During the investigation, in order to deter further attempts of unauthorised sign-ins, we will not reveal more information about the methods employed to gain unauthorised access.

We apologise for the inconvenience and concerns caused to our customers, and we will continue working hard to safeguard the security of our users’ data.

The good news is, there doesn’t appear to have been a breach of any of Nintendo’s core systems – including databases and servers containing personal and financial details – which, you may recall, is what happened to Sony’s PlayStation Network in 2011.

The bad news is that, while Nintendo hasn’t made details of the exploit public for obvious reasons, the attack vector will have been fairly large. This is because the unauthorised logins made use of the legacy Nintendo Network ID associated with users accounts, and basically everyone who signed up for a Nintendo account on the Wii U or Nintendo 3DS will have one.

Advertisement
Advertisement

To mitigate the vulnerability, Nintendo is disabling the ability to login with a Nintendo Network ID. But the real solution, the one that all users should do, is to enable multi-factor authentication (which Nintendo refers to as two-step verification) on their Nintendo account. This means you’ll have to use a code generated from your smartphone (using the Google Authenticator app) to login. This means your password on its own is effectively worthless, unless you also have in your possession the linked mobile phone to generate the authorisation codes.

Advertisement

Real talk, folks: you should enable multi-factor authentication on any service that supports it. If you wait until a breach comes around, like this one, you might find it’s already too late.

Update: June 9, 2020

In a post on its Japanese support site – originally reported by IGN – Nintendo has confirmed that another 140,000 accounts have been compromised. That’s an additional 140,000 accounts on top of the original 160,000 accounts, making it a total of 300,000 accounts.

The Nintendo article states that the following information might have been visible to an attacker: “Nickname, date of birth, country/region, email address”. It’s also quick to remind users that the breach represents less than 1% of Nintendo Accounts worldwide.

This is a timely reminder that you should always use multi-factor authentication on your accounts. Even if a service provider says that a vulnerability has been fixed. Especially if a service provider says that a vulnerability has been fixed.


For all the important video game news stories (and information security advice, when appropriate) follow Thumbsticks on FacebookGoogle NewsTwitter, and Flipboard.

How did we do?

We hope you found this article useful, or informative, or thought provoking, or maybe even a little entertaining. Perhaps it was a guide that helped you through a tricky bit, or we even saved you some money? Lovely stuff! If you'd like to say "thanks" you could always buy the team a cup of coffee.

Recommended for you

Tom is an itinerant freelance technology writer who found a home as an Editor with Thumbsticks. Powered by coffee, RPGs, and local co-op.

Advertisement

Latest from Thumbsticks

New Xbox One game releases New Xbox One game releases
News10 hours ago

New Xbox releases: January 24-29, 2022

Here are the new Xbox Series X|S and Xbox One releases you can look forward to in the coming week.

My Friend Peppa Pig My Friend Peppa Pig
News1 day ago

My Friend Peppa Pig is out now on PS5 and Xbox Series X|S

My Friend Peppa Pig is released today for PlayStation 5 and Xbox Series X|S.

Pokémon Brilliant Diamond & Shining Pearl Mystery Gift Distribution Codes Pokémon Brilliant Diamond & Shining Pearl Mystery Gift Distribution Codes
Guides1 day ago

Guide: Pokémon Brilliant Diamond and Shining Pearl Mystery Gifts and distribution events

Here's the complete guide to Pokémon Brilliant Diamond and Shining Pearl Mystery Gifts and distribution events.

Yakuza - Xbox Free Play Days Yakuza - Xbox Free Play Days
News1 day ago

Play three epic crime games for free on Xbox this weekend

Yakuza 3 Remastered, Yakuza 4 Remastered, and Yakuza 5 Remastered are currently free to play for Xbox Live Gold and...

Lego Star Wars: The Skywalker Saga Lego Star Wars: The Skywalker Saga
News2 days ago

Following years of crunch, Lego Star Wars: The Skywalker Saga gets a release date

Warner Bros. Games confirms the release date for Lego Star Wars: The Skywalker Saga amid reports of crunch at developer TT...

Nintendo Switch Online - classic games Nintendo Switch Online - classic games
Guides2 days ago

Nintendo Switch Online: The big list of NES, SNES, N64 and Genesis games

Nintendo Switch Online includes access to a growing library of classic NES, SNES, N64, and Sega Genesis games. Here’s the...

Death's Door - Xbox Game Pass Death's Door - Xbox Game Pass
News3 days ago

One of last year’s very best games is coming to Xbox Game Pass

Death's Door, Rainbow Six Extraction and Windjammers 2 are among this month's second wave of Xbox Game Pass titles.

Among Us - Roadmap 2022 Among Us - Roadmap 2022
News4 days ago

Among Us 2022 roadmap includes Friends List feature

Innersloth has outlined this year's content and development roadmap for Among Us.

Advertisement