Brute-force attack on Club Nintendo website results in 24,000 compromised accounts

By on July 8, 2013, 6:00 PM

Nintendo recently revealed that nearly 24,000 Club Nintendo accounts have been hacked following what was close to a month-long brute-force attack. We are being told that members’ full names, home address, phone numbers and e-mail addresses were compromised during the attack although billing information like credit cards thankfully aren’t a part of the rewards site.

The attack appears to have only affected Club Nintendo users in Japan and was only noticed last week following a large number of access errors. In total, Nintendo said there were 15 million unauthorized login attempts during the attack.

Despite the fact that there doesn’t appear to be any real security threat, it is a bit concerning that it took so many failed logins before Nintendo even became aware of the issue. The company has since issued an e-mail to affected Club Nintendo members urging them to change their passwords as existing passwords have all been wiped.

Club Nintendo allows members to build points, or “coins,” that can be traded in for promotional items. Members can earn points simply by buying Nintendo products, registering their gear and providing feedback. Other perks include a free warranty extension program for registered systems as well as access to limited-edition bonus items like CDs, gifts and exclusive events.

This is the second high profile gaming-related hack in less than a week. If you recall, Ubisoft’s website was hacked earlier this month as sensitive information including user names, e-mail addresses and encrypted passwords were all compromised. It’s worth pointing out that the two incidents don’t appear to be linked, however.

User Comments: 5

Got something to say? Post a comment
Darth Shiv Darth Shiv said:

This is exactly why you use account lockout policies such as 3 login attempts per 10 min or hour etc. And maybe actually monitoring/taking metrics of failures.

Is there some reputable best practices guide for setting up web portal login security procedures? If there is, it needs to be more visible. Some sort of template to implement a webpage security and implementing storage of personal details.

Loukin Loukin said:

I hope mine didn't get compromised.

Skidmarksdeluxe Skidmarksdeluxe said:

I like the way companies always try downplay the severity of these attacks by saying c/c info wasn't compromised only to find out a few days later that you're a couple of grand in the red and you can't hold that company responsible. I'll never ever use my c/c online, in fact I never buy anything online. Call me old fashioned but that's the way I operate.

Guest said:

I never buy anything online. Call me old fashioned but that's the way I operate

You wont have much reason to anymore if the online tax bill passes.

bexwhitt said:

Nintendo still in business, wow.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.