UPDATE 2PM UK: Nintendo has now published an English language statement on today’s announcement its account system has suffered a privacy breach affecting up to 160,000 people.
In the statement, Nintendo says that, at present, there was no evidence to suggest Nintendo’s own databases, servers or services have been accessed. This again suggests the log-in data used to access accounts was obtained elsewhere – a tactic known as credential stuffing.
To protect accounts going forward, Nintendo will not detail more of how the attack took place.
Finally, as we reported earlier, log-in via Nintendo Network ID has been disabled and all users are highly recommended to enable two-factor authentication immediately.
Nintendo’s statement follows in full:
We would like to provide an update on the recent incidents of unauthorised access to some Nintendo Accounts.
While we continue to investigate, we would like to reassure users that there is currently no evidence pointing towards a breach of Nintendo’s databases, servers or services. As one action in our ongoing investigation, we are discontinuing the ability to use a Nintendo Network ID to sign in to a Nintendo Account. All other options to sign-in to a Nintendo Account remain available.
As a further precaution, we will soon contact users about resetting passwords for Nintendo Network IDs and Nintendo Accounts that we have reason to believe were accessed without authorisation.
In addition, we also continue to strongly encourage users to enable two-step verification for their Nintendo Account as instructed here: How to set-up two-step verification for a Nintendo Account.
If any users become aware of unauthorised activity, we encourage them to take the steps outlined in the article about the Nintendo Account recovery process.
During the investigation, in order to deter further attempts of unauthorised sign-ins, we will not reveal more information about the methods employed to gain unauthorised access.
We apologise for the inconvenience and concerns caused to our customers, and we will continue working hard to safeguard the security of our users’ data.
ORIGINAL STORY 12PM UK: Nintendo has confirmed that up to 160,000 Nintendo Accounts have been accessed in an enormous privacy breach.
If you were affected, your private data such as your nickname, email, date of birth, gender and country/region were potentially viewable by a third party.
Credit card data was not accessed, though as Eurogamer reported earlier this week, linked payment methods were used in some cases to make unauthorised purchases.
In a statement on its Japanese support site, Nintendo confirmed the issue was related to the company’s own Nintendo Network ID (NNID) log-in system – one of several methods used to log into your Nintendo account.
NNID usernames and passwords were obtained illegally outside Nintendo’s service, the company said, and then used to access accounts and make purchases.
As a result, log-in to your Nintendo account via the NNID method has been disabled. All affected NNID passwords will be reset.
Some people whose accounts had been accessed had seen charges on their account via linked payment methods for up to £100 worth of digital items – most commonly, Fortnite’s VBuck currency.
Today, Nintendo said the hacking attempts had been ongoing since early April.
Nintendo Account users will now be contacted via e-mail to reset their passwords with a unique passcode not used elsewhere. Nintendo recommends you use a different password for your NNID and Nintendo account, and set up two-factor authentication.
News of the breach has so far only filtered through from that Japanese support page. Nintendo has yet to make an official English-language statement, though Nintendo UK has now tweeted to acknowledge NNID is no longer available as a sign-in method.
In response to recent incidents related to some Nintendo Accounts, it is no longer possible to sign into a Nintendo Account using a Nintendo Network ID. We apologise for any inconvenience caused. Please visit our Support website for more information: https://t.co/GMrXr5OHW0
— Nintendo UK (@NintendoUK) April 24, 2020
We have contacted Nintendo for more.