In a post on its support site, Nintendo admits that “unauthorised access to some Nintendo Accounts” has occurred, but insists that no Nintendo servers or databases were breached.
The first rule of an information security breach is that you tell everyone who has been impacted as early as possible.
And this isn’t some “first rule of Fight Club” stuff. These are the rules laid out by numerous regulatory bodies around the world. But for the sake of being specific to the jurisdiction in which Thumbsticks finds itself, we’ll refer to GDPR (General Data Protection Regulations) and the ICO (that’s the Information Commissioner’s Office, the regulatory body that polices such things) and their guidelines on reporting breaches.
- The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
- If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
So in a circumstance where user accounts or data have been breached, then the organisation must report it to the ICO within 72 hours, and must report it to individuals potentially impacted – in this case, “rights and freedoms” relates to personal data and the potential for financial loss – without any “undue delay”.
Given that people have (anecdotally) been complaining of breaches to their Nintendo Accounts for a couple of weeks now, including unauthorised purchases that haven’t been refunded, that’s not looking very good for Nintendo. The developer and publisher has only today (April 24, 2020) issued a statement about the “unauthorised access to some Nintendo Accounts,” which reads as follows:
We would like to provide an update on the recent incidents of unauthorised access to some Nintendo Accounts.
While we continue to investigate, we would like to reassure users that there is currently no evidence pointing towards a breach of Nintendo’s databases, servers or services. As one action in our ongoing investigation, we are discontinuing the ability to use a Nintendo Network ID to sign in to a Nintendo Account. All other options to sign-in to a Nintendo Account remain available.
As a further precaution, we will soon contact users about resetting passwords for Nintendo Network IDs and Nintendo Accounts that we have reason to believe were accessed without authorisation.
In addition, we also continue to strongly encourage users to enable two-step verification for their Nintendo Account as instructed here: How to set-up two-step verification for a Nintendo Account.
If any users become aware of unauthorised activity, we encourage them to take the steps outlined in the article about the Nintendo Account recovery process.
During the investigation, in order to deter further attempts of unauthorised sign-ins, we will not reveal more information about the methods employed to gain unauthorised access.
We apologise for the inconvenience and concerns caused to our customers, and we will continue working hard to safeguard the security of our users’ data.
The good news is, there doesn’t appear to have been a breach of any of Nintendo’s core systems – including databases and servers containing personal and financial details – which, you may recall, is what happened to Sony’s PlayStation Network in 2011.
The bad news is that, while Nintendo hasn’t made details of the exploit public for obvious reasons, the attack vector will have been fairly large. This is because the unauthorised logins made use of the legacy Nintendo Network ID associated with users accounts, and basically everyone who signed up for a Nintendo account on the Wii U or Nintendo 3DS will have one.
To mitigate the vulnerability, Nintendo is disabling the ability to login with a Nintendo Network ID. But the real solution, the one that all users should do, is to enable multi-factor authentication (which Nintendo refers to as two-step verification) on their Nintendo account. This means you’ll have to use a code generated from your smartphone (using the Google Authenticator app) to login. This means your password on its own is effectively worthless, unless you also have in your possession the linked mobile phone to generate the authorisation codes.
Real talk, folks: you should enable multi-factor authentication on any service that supports it. If you wait until a breach comes around, like this one, you might find it’s already too late.
Update: June 9, 2020
In a post on its Japanese support site – originally reported by IGN – Nintendo has confirmed that another 140,000 accounts have been compromised. That’s an additional 140,000 accounts on top of the original 160,000 accounts, making it a total of 300,000 accounts.
The Nintendo article states that the following information might have been visible to an attacker: “Nickname, date of birth, country/region, email address”. It’s also quick to remind users that the breach represents less than 1% of Nintendo Accounts worldwide.
This is a timely reminder that you should always use multi-factor authentication on your accounts. Even if a service provider says that a vulnerability has been fixed. Especially if a service provider says that a vulnerability has been fixed.
Want more neat stuff?
If you want to keep abreast of the latest news, features, reviews, guides, and sales, we can send all our latest articles and great content straight to your inbox. You know, collated together, once or twice a week, in a newsletter. We wouldn't send them one at a time – that would be weird and annoying!
Recommended for you
Latest from Thumbsticks
Deltarune Chapter 2 release date revealed by Toby Fox
Deltarune Chapter 2 is almost upon us. We don't need to tell you to "please be excited" for this one.
Surreal web cartoon Tux and Fanny makes for a sublime video game
In one day I went from not knowing a thing about Tux and Fanny to proclaiming it the best video...
Battlefield 2042 release date bumped to November
Electronic Arts has confirmed that the upcoming military shooter Battlefield 2042 will be released one month later than planned. EA says...
The developers want you to break Age of Empires IV this weekend
After a number of balloted tests, the floodgates will open for a limited-time, unrestricted stress test for Age of Empires...
The PlayStation Store Double Discounts sale returns
PS Plus members get double discounts on PS4 and PS5 games in the latest PlayStation Store video game sale.
Latest Nintendo Switch update adds support for Bluetooth headphones
It's taken a long time, but you can now use your Bluetooth headphones with your Nintendo Switch.
More super games join Xbox Game Pass from today
SkateBird, Sable, and Subnautica: Below Zero are among the games coming to Xbox Game Pass before the end of September 2021.
Save on next-gen optimised games in this week’s new Xbox sales
This week's digital sales include discounts on Xbox Game Studios titles and Xbox Series X|S optimised releases.