Nintendo Confirms Massive Data Breach of Up to 160,000 User Accounts

An apparent hacking attack may have exposed the account information of nearly 160,000 registered Nintendo users. While information is still being uncovered regarding this incident, Nintendo has released the following statement regarding this incident:

“We would like to provide an update on the recent incidents of unauthorized access to some Nintendo Accounts. While we continue to investigate, we would like to reassure users that there is currently no evidence pointing towards a breach of Nintendo’s databases, servers, or services. As one action in our ongoing investigation, we are discontinuing the ability to use a Nintendo Network ID to sign in to a Nintendo Account. All other options to sign-in to a Nintendo Account remain available. As a further precaution, we will soon contact users about resetting passwords for Nintendo Network IDs and Nintendo Accounts that we have reason to believe were accessed without authorization.”

While it was initially suggested that this attack targeted Nintendo’s own database, this statement from Nintendo indicates that is not the case and that the accessed information was instead acquired elsewhere. It’s still not clear at this time where the user information in question was taken from, but Eurogamer and other outlets suggest that it could have been acquired through a kind of brute force log-in method known as credential stuffing.

So what information was compromised as a result of this data breach? Well, it doesn’t sound like your credit card and payment information is immediately at risk (though there are some reports that it’s possible that a few linked payment methods have since been used for unauthorized purchases) but we do know that the nickname, email, date of birth, gender and country/region associated with your Nintendo account may have been exposed to hackers if you are one of the users affected by this event.

Nintendo has already disabled account log-in via their NNID method (which seems to be the method that was directly affected by this incident) and have reset the passwords of all known affected accounts. They also encourage all users to utilize two-factor log-in options as an extra security precaution. Furthermore, they will be contacting known, affected users via e-mail with additional information and instructions.

It’s clear that this situation is not ideal for anyone involved, but the good news is that Nintendo does seem to be on top of it and they note that they have been monitoring information related to these attempts since early April.

While that investigation prevents Nintendo from releasing further information regarding the methods used to acquire this data, it does sound like you’ll be able to best protect yourself at this time by resetting your password, enabling extra log-in security, and following all recommended steps if you are notified that your account has been affected.