What Happened During Nintendo's Data Breach in 2021?

Nintendo has had a run of cyberattacks in recent years. In 2017 they were infamously hacked by a security researcher, Zammis Clark, who stole over two terabytes of data, including game source files, prototypes, game emulators, unreleased products, and more, some of which dated back to the 80s!

In April 2020, Nintendo was again at the center of a cyber-security controversy, this time involving 300,000 Nintendo Network ID (NNID) for Nintendo Switch accounts. Initially, Nintendo claimed it was only 160,000, but it discovered another 140,000 compromised accounts after further investigation.

While more than 300,000 Nintendo users were hacked, less than 1% were used to make fraudulent transactions. Nintendo has been vague about how attackers acquired user logins but did mention in a statement that data was "obtained illegally from other than our service by some other means."

‏‏‎ ‎

Try TeamPassword by trying a free trial and see for yourself what TeamPassword can do for you.

A Rough Timeline of Events

  • April 9, 2020 - Much to the confusion of its followers, Nintendo randomly Tweets: "You can help secure your Nintendo Account by enabling 2-Step Verification." with a link to instructions.
  • April 19, 2020 - Founding editor of LootPots, a Nintendo fansite Tweets: "I suspect Nintendo may have had a major security breach. My account was accessed numerous times overnight. My password is a unique string, and my PC is definitely clean (not that I ever login via it). Lots of similar reports on Reddit/Twitter. Unlink PayPal & enable 2FA folks!"
  • April 24, 2020 - Nintendo releases an official statement confirming 160,000 accounts have been compromised.
  • April 27, 2020 - Nintendo confirms they have discovered another 140,000 accounts, taking the total to 300,000.

‏‏‎ ‎

What Account Information Was Compromised?

According to Nintendo, the NNID data breach included:

  • The account owner's full name
  • Email address
  • Date of birth
  • Their country of residence 

Fortunately, the billing information is hidden and cannot be extracted but can still be used to make purchases. Some users with linked payment methods reported fraudulent transactions at the My Nintendo Store or Nintendo eShop.

These transactions triggered initial suspicions of account breaches, with some users reporting strange behavior and purchases as early as March 2020.

‏‏‎ ‎

How Did Hackers Access Nintendo User Accounts?

For "security reasons," Nintendo hasn't disclosed how hackers access NNID accounts, but they do confirm there wasn't a breach of their servers, leaving three possible scenarios.

Credential Stuffing

Hackers use usernames (or email addresses) and passwords stolen from one application to perform automated large-scale application logins. These credentials are often stolen from the servers of games or applications with weak security. 

Hackers rely on the fact that many people use the same username and password for multiple accounts. One possibility is that hackers may have gained access to a chatroom or application frequented by Nintendo users and stolen login credentials.

Cybercriminals would then need to test each username and password and see if anyone has used the same credentials for their Nintendo account.

We know that Nintendo encouraged users to use different passwords for their NNID and Nintendo Account to minimize the risk of credential stuffing

Phishing

Another likely scenario, and one that's very common, is that Nintendo users may have been victims of a phishing attack. In a phishing attack, cybercriminals use a "spoof" message (text, email, etc.) to trick a user into clicking a link or revealing sensitive data.

On first inspection, phishing attacks are challenging to identify because hackers will mimic correspondence or even build a replica application or website login.

Brute Force Attack

A brute force attack is essentially a guessing game where hackers systematically try passwords until they gain access. They often start with common phrases and combinations and then use phrases relevant to a user's name or personal information.

Nowadays, most websites and applications prevent brute force attacks by limiting the number of times you can enter a correct password or requiring two-factor authentication (2FA).

‏‏‎ ‎

The Fallout of Nintendo's User Breach

Nintendo users were understandably upset, taking to Twitter and Reddit to vent their frustrations. Not only was this the second major breach for Nintendo in the space of three years, but the Japanese giant's lackluster response seemed to fuel anger and frustration.

Users were given no real explanation of how this happened, which would help knowing where they might be vulnerable.

Nintendo did offer to cancel and refund any fraudulent purchases, but according to several Reddit posts, this has not been easy with Nintendo denying some requests.

Nintendo now requires users to use two-factor authentication to prevent this type of breach from happening again.

‏‏‎ ‎

Protecting Yourself Against Unauthorized Logins

While companies are responsible for protecting our data, we must also take responsibility to protect ourselves. That means better password management.

Companies will do everything they can to avoid refunds, so if they can prove you were negligent, there's a high likelihood you might never recoup some or all of your losses.

Stronger, Secure Passwords

The first step is creating secure passwords for all of your accounts. A secure password should be unique, complicated, and ideally no less than 12 characters, so it's near impossible to guess.

One way to create stronger passwords is by using a secure password generator. These password generators produce a complicated series of randomized characters for you to copy/paste.

With TeamPassword, you get a built-in password generator capable of creating 32-character secure passwords. You can choose to include uppercase, lowercase, numbers, and symbols to ensure you get robust passwords every time.

Create a Different Password for Every Account

Another huge mistake people make, using the same password across multiple accounts. Even if you have a 32-character, ultra-secure password, you should never use it more than once. 

If a hacker steals that password during a breach or you fall victim to a cyberattack, criminals will have access to all of your accounts. 

By creating a separate password for every account, website, and application, you're limiting your exposure and minimizing potential losses. 

Two-Factor Authentication (2FA)

Once you have secure passwords and use different credentials for every login, you'll want to add another layer of security. Two-factor authentication (2FA) will prevent anyone from accessing your accounts, even if they have your login credentials.

What is 2FA, and How Does it Work?

2FA is a two-step process for logging into an account. The primary step is your password, while the second step is an action you need to take, which could include:

  • Possession factor - an authentication method linked to a person such as a 2FA device, text message, email, or application on one of your devices. For example, when logging in to your bank account, you might receive a text message with a code to enter after your password.
  • Knowledge factor - authentication through a memorable word or phrase. For example, your mother's maiden name or the name of your best friend in high school.
  • Biometric factor - authentication through fingerprints, retina shape, or facial and voice recognition. 

Most applications use Google Authenticator (possession factor) to facilitate 2FA, but some companies might send a text or email or have their own applications or devices. Google Authenticator is popular because it's free and available for iOS and Android.

TeamPassword uses Google Authenticator for 2FA, and you can also generate backup codes to ensure you never get locked out. 

‏‏‎ ‎

TeamPassword - A Comprehensive Password Management Solution

TeamPassword allows you to take the guesswork out of creating and saving passwords. With 2FA and backup codes, your accounts are more secure with TeamPassword.

We use the highest levels of security with the most up-to-date encryption technology.

Accessible Anywhere

With TeamPassword, you can access and manage your passwords anywhere and from any device. We even have Chrome, Firefox, and Safari extensions so you can log in to any account quickly and securely.

Groups and Sharing

One major vulnerability comes when you need to share logins and passwords. TeamPassword was built for collaboration allowing you to allocate credentials with other users securely. You can also remove a user with one click, providing maximum security and efficiency.

Built-In Password Generator

A built-in password generator allows you to generate robust, 12 - 32 character passwords on the fly quickly. TeamPassword will automatically save your new passwords, so you never have to remember or store them outside of the application.

Activity and Logging

When you manage teams with access to your accounts and those of your clients, it's crucial to keep track of who is logging in, viewing passwords, or sharing access. 

With TeamPassword's activity log, you can keep track of all that data to minimize unauthorized access. You can also set up email notifications to get immediate activity updates, perfect for monitoring highly sensitive applications and data.

‏‏‎ ‎

Avoid becoming another data-breach statistic! Try TeamPassword with a free trial today and take control of your password management!