Nintendo Switch player slapping forehead showing breach of Nintendo Accounts resulting in abuse of payment information

Hackers Breached Over 160,000 Nintendo Accounts and Misused Payment Information, the Company Admits

Nintendo, the Japanese gaming company, has admitted that over 160,000 accounts have been affected by the latest data breach that exposed users’ payment information. Nintendo users had repeatedly complained on social media of the payment information on their Nintendo accounts being misused to make purchases for Fortnite currency, V-Bucks, Nintendo games, and other digital items. The gaming company said the hackers abused the Nintendo Network ID (NNID) integration to gain access to the linked user profiles of the main Nintendo accounts. Nintendo said it has disabled the network IDs and users will no longer be able to use them to access their accounts.

Nintendo accounts payment information compromised by the hack

The hackers could access the linked payment services such as credit cards and PayPal account linked to the Nintendo accounts compromised through the NNID. Nintendo also confirms that profile information such as date of birth, country, region, and email addresses were obtained illegally by hackers. This information could be used to obtain payment information by phishing the affected users. Although the hackers could make purchases, they did not see the credit card information.

The nature of the Nintendo accounts’ hack

Although Nintendo did not provide a specific date when the Nintendo accounts breach took place, the gaming company says the accounts have been compromised since the beginning of April. The compromise of Nintendo accounts emanated from the ability to link outdated Nintendo Network IDs to Nintendo accounts. The NNID required the use of a unique username and password. The use of older NNID was maintained to allow access of Nintendo accounts to older Nintendo consoles such as 3DS and Wii U devices. The use of the NNID also allowed users to link older accounts to the new accounts. The latest consoles such as the newer Nintendo Switch uses the latest Nintendo Account System that allows the use of an email and password. For users who use the same password for the NNID and Nintendo account, their payment information is at risk of being used to make purchases at My Nintendo Store or Nintendo eShop.

Gaming has always been a lucrative business for companies and a lucrative target for hackers. Popular ransomware, Syrk, was targeting Fortnite’s games in 2019 by claiming to offer gaming hacking tools. The leakage of the source code for Counter-Strike: Global Offensive, as well as Team Fortress 2, also raised concerns over the safety of the platform. Accounts that store users’ payment information should implement better security features to protect their users from irreparable financial damages.

Reaction by Nintendo

Nintendo has already reset the passwords of the affected accounts and has reached out to the affected users and advised them to change their passwords. The company also recommends that users enable two-factor authentication to protect their accounts and payment information from illegal access. Two-factor authentication works by generating a one-time code during each login. Additionally, the gaming company has reacted by disabling the ability to log into a Nintendo account using the NNID. Nintendo has also requested users whose payment information on their Nintendo accounts were used to make the illegal purchases to request for a refund.

Jason Kent, Hacker in Residence at Cequence Security, says companies should pay attention to legacy systems that could grant hackers a backdoor into their systems.

“Organizations need to pay attention to not only points of access in production environments but also all their deprecated and development endpoints,” Kent said. “These often-forgotten and unsecured APIs can be used by hackers to gain side-door access into systems to achieve the same access to confidential information and monetary gain as if they went through the front door.”

He noted however that securing such endpoints becomes tricky when the organizations forget their existence.

“Unfortunately, most organizations lack full visibility of their APIs, making it a challenge to adequately secure them.”