Connect with us
Advertisement

News

‘Unauthorised access to some Nintendo Accounts’ more widespread than it first appeared

In a post on its support site, Nintendo admits that “unauthorised access to some Nintendo Accounts” has occurred, but insists that no Nintendo servers or databases were breached.

Published

on

Nintendo Accounts breach 2020
Nintendo

In a post on its support site, Nintendo admits that “unauthorised access to some Nintendo Accounts” has occurred, but insists that no Nintendo servers or databases were breached.

The first rule of an information security breach is that you tell everyone who has been impacted as early as possible.

And this isn’t some “first rule of Fight Club” stuff. These are the rules laid out by numerous regulatory bodies around the world. But for the sake of being specific to the jurisdiction in which Thumbsticks finds itself, we’ll refer to GDPR (General Data Protection Regulations) and the ICO (that’s the Information Commissioner’s Office, the regulatory body that polices such things) and their guidelines on reporting breaches.

Advertisement
  • The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
  • If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.

So in a circumstance where user accounts or data have been breached, then the organisation must report it to the ICO within 72 hours, and must report it to individuals potentially impacted – in this case, “rights and freedoms” relates to personal data and the potential for financial loss – without any “undue delay”.

Given that people have (anecdotally) been complaining of breaches to their Nintendo Accounts for a couple of weeks now, including unauthorised purchases that haven’t been refunded, that’s not looking very good for Nintendo. The developer and publisher has only today (April 24, 2020) issued a statement about the “unauthorised access to some Nintendo Accounts,” which reads as follows:

We would like to provide an update on the recent incidents of unauthorised access to some Nintendo Accounts.

While we continue to investigate, we would like to reassure users that there is currently no evidence pointing towards a breach of Nintendo’s databases, servers or services. As one action in our ongoing investigation, we are discontinuing the ability to use a Nintendo Network ID to sign in to a Nintendo Account. All other options to sign-in to a Nintendo Account remain available.

Advertisement

As a further precaution, we will soon contact users about resetting passwords for Nintendo Network IDs and Nintendo Accounts that we have reason to believe were accessed without authorisation.

In addition, we also continue to strongly encourage users to enable two-step verification for their Nintendo Account as instructed here: How to set-up two-step verification for a Nintendo Account.

If any users become aware of unauthorised activity, we encourage them to take the steps outlined in the article about the Nintendo Account recovery process.

During the investigation, in order to deter further attempts of unauthorised sign-ins, we will not reveal more information about the methods employed to gain unauthorised access.

We apologise for the inconvenience and concerns caused to our customers, and we will continue working hard to safeguard the security of our users’ data.

The good news is, there doesn’t appear to have been a breach of any of Nintendo’s core systems – including databases and servers containing personal and financial details – which, you may recall, is what happened to Sony’s PlayStation Network in 2011.

The bad news is that, while Nintendo hasn’t made details of the exploit public for obvious reasons, the attack vector will have been fairly large. This is because the unauthorised logins made use of the legacy Nintendo Network ID associated with users accounts, and basically everyone who signed up for a Nintendo account on the Wii U or Nintendo 3DS will have one.

Advertisement
Advertisement

To mitigate the vulnerability, Nintendo is disabling the ability to login with a Nintendo Network ID. But the real solution, the one that all users should do, is to enable multi-factor authentication (which Nintendo refers to as two-step verification) on their Nintendo account. This means you’ll have to use a code generated from your smartphone (using the Google Authenticator app) to login. This means your password on its own is effectively worthless, unless you also have in your possession the linked mobile phone to generate the authorisation codes.

Advertisement

Real talk, folks: you should enable multi-factor authentication on any service that supports it. If you wait until a breach comes around, like this one, you might find it’s already too late.

Update: June 9, 2020

In a post on its Japanese support site – originally reported by IGN – Nintendo has confirmed that another 140,000 accounts have been compromised. That’s an additional 140,000 accounts on top of the original 160,000 accounts, making it a total of 300,000 accounts.

The Nintendo article states that the following information might have been visible to an attacker: “Nickname, date of birth, country/region, email address”. It’s also quick to remind users that the breach represents less than 1% of Nintendo Accounts worldwide.

This is a timely reminder that you should always use multi-factor authentication on your accounts. Even if a service provider says that a vulnerability has been fixed. Especially if a service provider says that a vulnerability has been fixed.


For all the important video game news stories (and information security advice, when appropriate) follow Thumbsticks on FacebookGoogle NewsTwitter, and Flipboard.

Want more neat stuff?

If you want to keep abreast of the latest news, features, reviews, guides, and sales, we can send all our latest articles and great content straight to your inbox. You know, collated together, once or twice a week, in a newsletter. We wouldn't send them one at a time – that would be weird and annoying!

Recommended for you

Tom is an itinerant freelance technology writer who found a home as an Editor with Thumbsticks. Powered by coffee, RPGs, and local co-op.

Advertisement

Latest from Thumbsticks

Deltarune logo Deltarune logo
News9 hours ago

Deltarune Chapter 2 release date revealed by Toby Fox

Deltarune Chapter 2 is almost upon us. We don't need to tell you to "please be excited" for this one.

Tux and Fanny video game Tux and Fanny video game
Features11 hours ago

Surreal web cartoon Tux and Fanny makes for a sublime video game

In one day I went from not knowing a thing about Tux and Fanny to proclaiming it the best video...

Battlefield 2042 key art Battlefield 2042 key art
News16 hours ago

Battlefield 2042 release date bumped to November

Electronic Arts has confirmed that the upcoming military shooter Battlefield 2042 will be released one month later than planned. EA says...

Age of Empires IV key art Age of Empires IV key art
News1 day ago

The developers want you to break Age of Empires IV this weekend

After a number of balloted tests, the floodgates will open for a limited-time, unrestricted stress test for Age of Empires...

Playstation Store Double Discounts Sale Playstation Store Double Discounts Sale
News1 day ago

The PlayStation Store Double Discounts sale returns

PS Plus members get double discounts on PS4 and PS5 games in the latest PlayStation Store video game sale.

Nintendo Switch Bluetooth Nintendo Switch Bluetooth
News2 days ago

Latest Nintendo Switch update adds support for Bluetooth headphones

It's taken a long time, but you can now use your Bluetooth headphones with your Nintendo Switch.

SkateBIRD keyart - Xbox Game Pass SkateBIRD keyart - Xbox Game Pass
News2 days ago

More super games join Xbox Game Pass from today

SkateBird, Sable, and Subnautica: Below Zero are among the games coming to Xbox Game Pass before the end of September 2021.

Xbox - Halo: The Master Chief Collection Xbox - Halo: The Master Chief Collection
News2 days ago

Save on next-gen optimised games in this week’s new Xbox sales

This week's digital sales include discounts on Xbox Game Studios titles and Xbox Series X|S optimised releases.

Advertisement