Just a couple of days ago Hackread.com reported how Nintendo customers were complaining about their accounts being compromised or accessed from unknown locations. Some also shared screenshots of fraudulent financial transactions from their PayPal balance in which hackers went on a shopping spree.
Now, it has been confirmed that Nintendo suffered a massive data breach in which upto 160,000 Nintendo accounts were accessed by hackers or a third party as Nintendo likes to call it.
In its official statement, the company acknowledged the breach and revealed that the incident took place due to vulnerability in Nintendo’s Nintendo Network ID (NNID) system. NNID is one of several systems that lets users log in their accounts.
Nintendo further revealed on its Japanese website that the potentially accessed data included NNID usernames and password, nickname, email address, gender, date of birth, and country/region.
Nintendo maintains that no payment card data was exposed in the breach. However, the fraudulent transactions were carried out from My Nintendo Store or Nintendo eShop on only those accounts who were using the same password on their NNID and Nintendo account.
The company is urging users to choose different passwords for NNID and Nintendo account. If your account was exposed Nintendo will contact you. As of now, login to your Nintendo account via the NNID method has been disabled while all affected NNID passwords will be reset.
In response to recent incidents related to some Nintendo Accounts, it is no longer possible to sign into a Nintendo Account using a Nintendo Network ID, the company said in a tweet.
If you have a Nintendo account, we advise you to watch out for phishing and malware emails disguising as password reset emails from Nintendo.
In response to recent incidents related to some Nintendo Accounts, it is no longer possible to sign into a Nintendo Account using a Nintendo Network ID. We apologise for any inconvenience caused. Please visit our Support website for more information: https://t.co/GMrXr5OHW0
— Nintendo UK (@NintendoUK) April 24, 2020
In a conversation with Hackread.com, Tyler Carbone, Chief Strategy Officer at digital risk protection provider Terbium Labs said that,
“It’s worth noting that this breach was related to accounts with NO two-factor authentication – that’s how attackers got in and then spread. So, yet again, we repeat the story we tell over and over – basic cybersecurity practices and hygiene are so essential. It’s the simple stuff that can deter events like this. Two-factor authentication just shouldn’t be optional anymore.”
Nevertheless, Nintendo has already introduced 2-Step Verification in which a user is granted access only after successfully presenting two or more pieces of evidence to an authentication mechanism. Here’s how to enable 2FA on your Nintendo account:
2- Select Sign-in and security settings, then scroll down to 2-Step Verification and click Edit.
3- Click 2-Step Verification settings.
4- Click Send email to have a verification code sent to the email address on file.
> If the email address is incorrect, click the Email address menu setting under User Info to change it.
5- Enter the verification code from the email, then Submit.
6- Install the Google Authenticator app on your smart device.
> This is a free app, available through Google Play (Android) and the App Store (iOS).
7- Use the smart device app to scan the QR code displayed on your Nintendo Account screen.
8- A 6-digit verification code will appear on your smart device. Enter the verification code into the field under step 3 on the Nintendo Account screen, then Submit.
9- A list of backup codes will appear. Click Copy to copy all the codes, then paste them somewhere safe.
> A backup code will be required to log in if you don’t have access to the Google Authenticator app. MAKE SURE TO KEEP THESE SOMEWHERE SAFE.
> You can use these (one time each) if you do not have access to the Google Authenticator app.
10- Click I have saved the backup codes, then OK.
> Once set, you can return to the 2-step verification settings section to review the backup codes and remove the 2-step restriction.