What just happened? Nintendo has confirmed that over 160,000 of its account holders were victims of hacking attempts—a result of vulnerabilities in the legacy Nintendo Network ID (NNID) system, which can be used to log into main Nintendo accounts.
Nintendo says login IDs and passwords were “obtained illegally by some means other than our service.” It has now disabled the ability to log into Nintendo Accounts through a NNID, and is resetting passwords for affected accounts.
NNIDs were used for older Nintendo devices such as the Wii U and 3DS before the more recent account system used for the Switch and other newer platforms was introduced. Until today, it had been possible to sign into a Nintendo Account though a NNID, but that ability has been disabled.
In response to recent incidents related to some Nintendo Accounts, it is no longer possible to sign into a Nintendo Account using a Nintendo Network ID. We apologise for any inconvenience caused. Please visit our Support website for more information: https://t.co/GMrXr5OHW0— Nintendo UK (@NintendoUK) April 24, 2020
Hackers could have viewed compromised accounts’ details, including nicknames, date of birth, country, and email addresses. Many of the breached accounts were used to purchased digital items, such as Fortnite VBucks, via their linked payment methods, though Nintendo has promised to refund any fraudulent purchases.
Nintendo is emailing affecting users, warning them that their credit card/PayPal details may have been used at My Nintendo Store or Nintendo eShop. The company stressed that credit card data was not accessed.
Nintendo is now recommending that all its users enabled two-factor authentication for an extra layer of security, which is something we should all be doing wherever possible. You can read Nintendo’s instructions on how to set it up using the Google Authenticator app, though the method also works with other authenticator apps.