Nintendo confirms 160,000 accounts compromised in privacy breach

Deal editor75
Posted 24th Apr
There's been speculation over the past few days that a number of Nintendo accounts had been compromised due to a data breach. Nintendo have now confirmed that 160,000 accounts have been affected.

3448770.jpg
Thank you very much for your patronage of our products.

We have confirmed that we have experienced a phenomenon that appears to have made a spoof login to "Nintendo Network ID(*1, hereinafter NNID)" from around the beginning of April using login ID and password information obtained illegally from outside our service by any means.
We also confirmed that some Nintendo accounts have been illegally logged in via NNID using this spoof login.

For this reason, we have discontinued the ability to log in to your Nintendo account via NNID today.
In addition, we will perform a sequential password reset for nnid and Nintendo accounts that may have been logged in illegally.

<お客様ヘのお願い>

  • NnID and Nintendo account where the password reset was reset will be notified by e-mail, so please reset your password the next time you use it. In that case, please avoid using your password already on other services.
  • If you have been logged into your Nintendo Account via NNID, please log in with your Nintendo Account email address/login ID after the next login.
  • If you use the same password for nnid and Nintendo account, you may be able to illegally use your balance and registered credit card PayPal at the My Nintendo Store or Nintendo e-Shop. Please set a different password for nnid and Nintendo account. In connection with this unauthorized login, if the damage such as the purchase history that you do not remember in the customer's Nintendo account is confirmed, after conducting an individual investigation, we will cancel the purchase, etc. Please wait as we proceed with the procedures.
  • In addition, from beforeHow to guideIn order to use our services safely and securely, we ask that you set up two-step verification for your Nintendo account.

Details on the impact of this matter are as follows:

  • NNID that may have received an illegal login

Approximately 160,000 accounts

Information that may have been viewed by a third party

  • The following information registered in NNID

  • Nickname, date of birth, country/region, email address



Nintendo have temporarily disabled logins for Nintendo Network IDs and passwords will be reset.

[Full statement here] - Use Chrome for translation.
Community Updates
Misc

Groups

Top comments
"Nickname, date of birth, country/region, email address"

And this is why you should use a fake DOB for near enough everything these days. There is absolutely no reason for Nintendo to know people's DOB, especially if that person is aged over 18. They demand completely unnecessary information and then don't secure that information responsibly enough.

Incidentally, that Japanese in the OP means 'a request for our customers'. It's nothing extra to worry about.
To be clear, these login credentials were obtained from outside of Nintendo - Nintendo weren't actually hacked.

A third-party performed "credential stuffing", where they take all the usernames/passwords they've obtained, and try to log into various services to find ones that work. Here, Nintendo were merely the target. For the username/password combinations that did allow them to login to Nintendo's services, that's where the personal details were obtained. So this is no different to me guessing (or stealing) someone's login, and logging in to HUKD with it to view their details.

There are things you can do to limit credential stuffing attempts against your services, but the responsibility is also on users for using the same username and password combinations across different sites/services - this is bad practice.
Be careful guys. I was hacked a few weeks ago. Set up 2 step on as much as you can and change passwords. Turn off auto approve on PayPal to nintendo to as a precaution
Just wait for the emails asking for 2000 pounds of Bitcoin as they have your password now as well as compromising videos which they will send to 15 of your friends
75 Comments
Be careful guys. I was hacked a few weeks ago. Set up 2 step on as much as you can and change passwords. Turn off auto approve on PayPal to nintendo to as a precaution
Read about this the other day and set up the 2 step authenticator.
Looks like I never setup NNID... but added 2 step authentication as backup anyway.
"Nickname, date of birth, country/region, email address"

And this is why you should use a fake DOB for near enough everything these days. There is absolutely no reason for Nintendo to know people's DOB, especially if that person is aged over 18. They demand completely unnecessary information and then don't secure that information responsibly enough.

Incidentally, that Japanese in the OP means 'a request for our customers'. It's nothing extra to worry about.
Just wait for the emails asking for 2000 pounds of Bitcoin as they have your password now as well as compromising videos which they will send to 15 of your friends
Spark24/04/2020 13:08

"Nickname, date of birth, country/region, email address"And this is why …"Nickname, date of birth, country/region, email address"And this is why you should use a fake DOB for near enough everything these days. There is absolutely no reason for Nintendo to know people's DOB, especially if that person is aged over 18. They demand completely unnecessary information and then don't secure that information responsibly enough. Incidentally, that Japanese in the OP means 'a request for our customers'. It's nothing extra to worry about.


I agree that Nintendo (And many others) don't need to know your DOB. Using a fake one is a good idea, however if you do need to use that data to recover the account and don't remember what you entered could pose a challenge.
😡 Not again, just getting over the virgin data breach, is my information safe anywhere
Yip had 7 logins the other day all over the world. This explains it
Brydo66624/04/2020 13:33

I agree that Nintendo (And many others) don't need to know your DOB. Using …I agree that Nintendo (And many others) don't need to know your DOB. Using a fake one is a good idea, however if you do need to use that data to recover the account and don't remember what you entered could pose a challenge.


Well you just use a standard fake and/or just store it somewhere. It can even be a friend's birthday or something like that. Just don't use your own or that of your kids, spouse etc.
DanBro24/04/2020 13:35

😡 Not again, just getting over the virgin data breach, is my …😡 Not again, just getting over the virgin data breach, is my information safe anywhere


The Japanese are especially bad at data security. One of the reasons PSN is likely a lot stronger now is becuse they moved their headquarters from Tokyo to California.
To be clear, these login credentials were obtained from outside of Nintendo - Nintendo weren't actually hacked.

A third-party performed "credential stuffing", where they take all the usernames/passwords they've obtained, and try to log into various services to find ones that work. Here, Nintendo were merely the target. For the username/password combinations that did allow them to login to Nintendo's services, that's where the personal details were obtained. So this is no different to me guessing (or stealing) someone's login, and logging in to HUKD with it to view their details.

There are things you can do to limit credential stuffing attempts against your services, but the responsibility is also on users for using the same username and password combinations across different sites/services - this is bad practice.
SourMash9124/04/2020 12:30

Be careful guys. I was hacked a few weeks ago. Set up 2 step on as much as …Be careful guys. I was hacked a few weeks ago. Set up 2 step on as much as you can and change passwords. Turn off auto approve on PayPal to nintendo to as a precaution


Do you know how I do this please?
A reminder!

Use 2 factor authentication wherever you can! Use Authy to sync your codes across all your devices!

Nintendo supports 2 factor authentication!
kizonxks24/04/2020 13:47

Do you know how I do this please?


Head to accounts.nintendo.com/ and login, go to security / login, at the bottom there is an option for 2 factor authentication
Edited by: "KeyboardKitten" 24th Apr
Spark24/04/2020 13:08

"Nickname, date of birth, country/region, email address"And this is why …"Nickname, date of birth, country/region, email address"And this is why you should use a fake DOB for near enough everything these days. There is absolutely no reason for Nintendo to know people's DOB, especially if that person is aged over 18. They demand completely unnecessary information and then don't secure that information responsibly enough. Incidentally, that Japanese in the OP means 'a request for our customers'. It's nothing extra to worry about.



It wasn't Nintendo that didn't secure data correctly - these usernames/passwords were stolen from elsewhere, from a different hack, the third-party then attempted all the combinations they had against Nintendo's services until they found ones that the users' had re-used across sites.
and what's the GDPR implications of this security breach...

I really don't understand the point of the GDPR since there are breaches from big companies every day and with nothing coming out of it apart from yet more data leaked. Shame on you Nintendo
Spark24/04/2020 13:41

The Japanese are especially bad at data security. One of the reasons PSN …The Japanese are especially bad at data security. One of the reasons PSN is likely a lot stronger now is becuse they moved their headquarters from Tokyo to California.


This made me laugh because Japan are considered an adequate country under EU data protection law, yet the U.S aren't even close.
coalfield24/04/2020 14:08

and what's the GDPR implications of this security breach...I really don't …and what's the GDPR implications of this security breach...I really don't understand the point of the GDPR since there are breaches from big companies every day and with nothing coming out of it apart from yet more data leaked. Shame on you Nintendo



Was your data affected? If so, make a complaint to Nintendo and the ICO. The implications are that they have breached the data protection principles and a few articles of GDPR so could face an investigation if they believe the risk is high.
coalfield24/04/2020 14:08

and what's the GDPR implications of this security breach...I really don't …and what's the GDPR implications of this security breach...I really don't understand the point of the GDPR since there are breaches from big companies every day and with nothing coming out of it apart from yet more data leaked. Shame on you Nintendo



This wasn't Nintendo's fault, they weren't hacked - these usernames/passwords were stolen from elsewhere, from a different hack, the third-party then attempted all the combinations they had against Nintendo's services until they found ones that the users' had re-used across sites. It's no different to me guessing your password on HUKD and viewing your profile on here, you wouldn't shout GDPR at HUKD for that.
TimmyRaa24/04/2020 14:11

This wasn't Nintendo's fault, they weren't hacked - these …This wasn't Nintendo's fault, they weren't hacked - these usernames/passwords were stolen from elsewhere, from a different hack, the third-party then attempted all the combinations they had against Nintendo's services until they found ones that the users' had re-used across sites. It's no different to me guessing your password on HUKD and viewing your profile on here, you wouldn't shout GDPR at HUKD for that.


Fair enough I take it back if this is the case and not spin. Still question the GDPR and its effectiveness in dealing with breaches including where this data originally came from
dbizal24/04/2020 12:31

Read about this the other day and set up the 2 step authenticator.


You can two-step on your Nintendo account?
PaulsGamingLive24/04/2020 13:32

Just wait for the emails asking for 2000 pounds of Bitcoin as they have …Just wait for the emails asking for 2000 pounds of Bitcoin as they have your password now as well as compromising videos which they will send to 15 of your friends


We have your screenshots of peach in a bikini. Leave all your turnips under the cherry tree at midnight or we dm your mum
Got caught by this a couple of months back, took £170 out of paypal for v-bucks
Nintendo refunded pretty quick (couple of Days)
Paypal didnt want to know took 2 weeks to a response off any email, hence why i refuse to use them
Yup cost me £160 in vbucks, waiting on Nintendo to get back to me regarding a refund. Doesn't help their phone lines are down due to covid19
Nintend-oh-dear. That Wario is up to no good again.
PaulsGamingLive24/04/2020 13:32

Just wait for the emails asking for 2000 pounds of Bitcoin as they have …Just wait for the emails asking for 2000 pounds of Bitcoin as they have your password now as well as compromising videos which they will send to 15 of your friends



Hmmm had one of those yesterday
PaulsGamingLive24/04/2020 13:32

Just wait for the emails asking for 2000 pounds of Bitcoin as they have …Just wait for the emails asking for 2000 pounds of Bitcoin as they have your password now as well as compromising videos which they will send to 15 of your friends



Do you really think they will have those videos stored???? oh no...the horror....some of my perfomances on Just Dance have been catastrophic!!! The shame, the embarrasment…….I wont be able to go out
Spark24/04/2020 13:08

"Nickname, date of birth, country/region, email address"And this is why …"Nickname, date of birth, country/region, email address"And this is why you should use a fake DOB for near enough everything these days. There is absolutely no reason for Nintendo to know people's DOB, especially if that person is aged over 18. They demand completely unnecessary information and then don't secure that information responsibly enough. Incidentally, that Japanese in the OP means 'a request for our customers'. It's nothing extra to worry about.



i always take DOB as a "memorable date" and not my DOB..

What i love now is when you buy a item in store and they ask for your email address. no thanks i will take the paper receipt and if bought on a bank card my bank statement can also be used as a receipt. also love the funny looks when they are like you dont have en email. no i dont want to give you 1 of my meny email addresses.
Unless I am mistaken NNID is used for 3DS / Wii U and NOT Nintendo Switch.

Don't panic if the switch is your first Nintendo console.
DanBro24/04/2020 13:35

😡 Not again, just getting over the virgin data breach, is my …😡 Not again, just getting over the virgin data breach, is my information safe anywhere


To be honest, no. Security breaches are going to get more common and severe I reckon.
jokes aside - this does explain the Isreal login access i had popup on my dashboard not long ago - and went in and changed my password as a consequence!
smashed24/04/2020 15:10

Unless I am mistaken NNID is used for 3DS / Wii U and NOT Nintendo …Unless I am mistaken NNID is used for 3DS / Wii U and NOT Nintendo Switch.Don't panic if the switch is your first Nintendo console.


Yes that's true. Mine was hacked via NNID. I had setup it up years ago with an incredibly old password that is linked to my email address. It was only ever used as a password for my I don't care if its hacked accounts (who cares if your 3ds account is hacked) but really annoying now. Thankfully saw the login messages and quickly kicked login. Now I know how they kept getting back in no many how many times I changed the switch password... No money lost. It interesting though - that password/email address combo only ever appeared on the known hacked list on HaveIBeenPawnd when I created a fortnight account on the switch. I always blamed Epic for that but maybe Nintendo are the problem.
TimmyRaa24/04/2020 13:46

To be clear, these login credentials were obtained from outside of …To be clear, these login credentials were obtained from outside of Nintendo - Nintendo weren't actually hacked.A third-party performed "credential stuffing", where they take all the usernames/passwords they've obtained, and try to log into various services to find ones that work. Here, Nintendo were merely the target. For the username/password combinations that did allow them to login to Nintendo's services, that's where the personal details were obtained. So this is no different to me guessing (or stealing) someone's login, and logging in to HUKD with it to view their details.There are things you can do to limit credential stuffing attempts against your services, but the responsibility is also on users for using the same username and password combinations across different sites/services - this is bad practice.


How do you remember/store your passwords. I know some people you store their passwords in a secure manner and then copy and paste it in to the form. It was only recently that I actually realised that any app on android/ios is allowed to read the contents of your clipboard at all times. It was an app that suggested it knew what I was about to paste into a form that made me look it up. Basic things like that are big security holes.
peakbear24/04/2020 15:35

How do you remember/store your passwords. I know some people you store …How do you remember/store your passwords. I know some people you store their passwords in a secure manner and then copy and paste it in to the form. It was only recently that I actually realised that any app on android/ios is allowed to read the contents of your clipboard at all times. It was an app that suggested it knew what I was about to paste into a form that made me look it up. Basic things like that are big security holes.


And here is a very recent newspaper article on it.

telegraph.co.uk/tec…on/
Spark24/04/2020 13:08

"Nickname, date of birth, country/region, email address"And this is why …"Nickname, date of birth, country/region, email address"And this is why you should use a fake DOB for near enough everything these days. There is absolutely no reason for Nintendo to know people's DOB, especially if that person is aged over 18. They demand completely unnecessary information and then don't secure that information responsibly enough. Incidentally, that Japanese in the OP means 'a request for our customers'. It's nothing extra to worry about.


I agree from a privacy standpoint that that is a good idea, but what do you do when you've signed up to a service with fake details and then are asked to prove them to get your account back...
Carphone warehouse set up 4 phone contracts without my consent 2 through Vodafone Vodafone threatened me with debt collection after I informed them it was new to me my name wasn't even spelt correctly no dob and they just used 1st line of my address I ended up having to complain to the ombudsman to get Vodafone to listen to me. I used the ombudsman through a technicality as there is no ombudsman for cfw As they are not a telephony provider just a 3rd party seller .
Was simply disgusting experience as Vodafone was telling me I couldn't cancel it as I could be the fraudster
6 months ish later they sent me £25 compensation as gw didn't come close to the money spent on calls and travel to cfw and Vodafone and to visit banks whom I didn't have an account with but the details were used, so cfw at point of sale did no checks prob inside job or someone hitting targets. I like to avoid both with enthusiasm.
Edited by: "gootti" 24th Apr
Happened to me a few month ago, only noticed when I got a PayPal alert for 2 X £80 payments to Nintendo for v-bucks.
E-mailed Nintendo on the Thursday, they e-mailed back asking a few questions and money was refunded on the Monday
Post a comment
Avatar
@
    Text

    Discussions