Nintendo admitted that around 160,000 accounts have been compromised through the Nintendo Network ID (NNID) system. The company announced that the NNID system was disabled, at least for now.
Reports surfaced in the past few weeks about a possible data leak directly affecting Nintendo users. People started to notice unlawful logins into their accounts, with some users accusing various illegal purchases. Nintendo remained quiet for a while, but the company now admits that some users were affected.
The Nintendo Network ID is a legacy system dating back from the Wii U and Nintendo 3DS days but which was adapted to be used as a login for more recent devices. Nintendo also started to use a few features called Nintendo Account for Switch users, but if people already had an NNID account, they could use that.
The data affected by the leak includes the nickname, date of birth, country, region, email address, and gender.
For now, Nintendo temporarily disabled the NNID login function and issued a reset for all NNIDs and Nintendo accounts that may have been illegally logged in. The company also promised to send emails to all the people affected and to change their passwords as soon as possible.
Users have been asked to choose a unique and robots password that hasn’t been used anywhere else, and to enable two-factor authentication. Subsequently, it’s a good idea to check the credit card balance of the PayPal account for any unlawful transactions.
The source of the leak is unknown, and Nintendo has yet to expand on this issue. It could very well be a credential stuffing attack, which means that hackers tried user names and passwords from other data breaches. Many users use the same credentials on multiple online services, which means that once the credentials were exposed, all of their online accounts are compromised.