Nintendo has shut down NNID logins and is encouraging Switch owners to lock down their accounts after a wave of fraudulent attacks. Nintendo itself has confirmed that the platform has fallen foul of hackers, who are accessing accounts and using linked PayPal accounts to make expensive digital purchases. Some reports suggest the attacks have been going on for weeks, but have ramped up in the last few days.
According to Ars Technica, victims will receive a plain-text email notice from Nintendo, advising them of a new sign-in and including details of the time, approximate location and device used to access the account.
Nintendo says that some 160,000 accounts have been targeted, with private details such as nicknames, email addresses, dates of birth and gender potentially viewed by third parties. The company has confirmed that while purchases have been made via Nintendo accounts, credit card data was not accessed.
It appears that hackers have taken advantage of vulnerabilities surrounding legacy accounts. Before the current account system for Switch and other newer devices was introduced, the company used Nintendo Network ID (also known as NNID) for platforms such as the Wii U and 3DS.
These accounts were set up using original screen keyboards, which made it harder to create strong passwords — the current system, meanwhile, allows accounts to be created on a web browser.
The bigger problem, however, is that while NNIDs are now a thing of the past, they may still be linked to users’ new accounts. As such, hackers need only get into a questionably-secured NNID in order to access a newer account and the PayPal funds associated with it.
As changing an NNID password remains clunky and difficult (not to mention impossible for customers that no longer have access to their old consoles), Nintendo is recommending users — affected by the hack or otherwise — enable two-factor authentication (2FA) on their accounts. It’s a straightforward process that provides a robust layer of security and will prevent hackers from accessing accounts via old NNID credentials.
However, Nintendo has gone straight to the source of the issue and has also shut down NNIDs completely. In a statement, the company announced it as “abolished the function of logging in to a Nintendo account via NNID,” noting that “passwords will be reset sequentially for NNIDs and Nintendo accounts that have been illegally logged in.”
Nintendo has said that it will immediately refund any fraudulent purchases made, but the company has faced some backlash for the way it’s handled the breach. Firstly, it appears that is has been aware of this type of attack for some time but has only issued guidance after the breach became more widespread.
Secondly, its first statement on the situation advised customers to set different passwords for NNID and Nintendo accounts before making a brief mention of 2FA.
Nonetheless, the attack highlights the pervasive security issues associated with legacy accounts. Users will link existing accounts to newer ones for reasons of convenience without necessarily recognizing the potential consequences of doing so.
If they don’t implement 2FA, they’re left vulnerable. But many would argue that a company the size of Nintendo should have been aware of these risks, and are therefore responsible for taking more proactive measures to mitigate them.
We’ve contacted both Nintendo of America and Nintendo of Europe for comment, and will update you should we receive a response.