160,000 Nintendo accounts were compromised—including ...

Enlarge / It's-a me, your Nintendo account's hijacker! ... at the "security" sub-page, whose URL is https://accounts.nintendo.com/security. Skiptomaincontent Enlarge/It's-ame,yourNintendoaccount'shijacker!AurichLawson/Nintendo readercomments 180 with126postersparticipating Sharethisstory ShareonFacebook ShareonTwitter ShareonReddit ThroughoutthemonthofApril,andparticularlythisweekend,usersofonlineNintendoaccountsondevicesliketheSwitchhavereportedreceivingemailnoticesthattheiraccountshavebeenaccessedbyoutsideparties.OurabilitytoverifytheseclaimswasbolsteredbyanunfortunateintrusiononMonday:thehijackingofanArsTechnicastaffer'saccount. Roughlyonehourbeforethisarticle'spublication,ReviewsEditorRonAmadeoreceivedaplain-textemailnoticefromNintendo,titledsimply,"[NintendoAccount]NewSign-In."Thenoticeincludedthefollowingsign-indetails: a5:25pmETtimestamp;thesign-intakingplaceviatheFirefoxbrowser(whichAmadeosays"isnoteveninstalled"onanydevicesheusedtoday),andalocationestimateof"UnitedStates,"whichtheemailsaysis"estimatedbasedontheIPaddressused."IPaddressesgenerallypinusersdowntothecountylevelwhentracedintheUnitedStates,andtheyareoftenasspecificasindividualcitiesorstates. FurtherReadingFBIcatcheshackerthatstoleNintendo’ssecretsforyearsTheemailcaughtAmadeo'sattentioninpartbecauseallofhisNintendodevicesare,inhiswords,"collectingdust."OurcursoryresearchforotheraffectedusersbroughtupthreadsonReddit,Twitter,andResetERA.OneTwitterthreadincludedaquestionnairewithquestionsaboutpossibleaccountvariables:whetherusershadloggedintotheserviceviaawebsite(whichAmadeohadnot),whetherusershadtiedtheirEpicGamesorFortnitecredentialstotheservice(Amadeohadnot),andotherquestions.Hedidanswer"yes"toonequestion,whichover90percentofrespondentshad,aswell:useoftheNintendoNetworkIDservice.(AmadeohadusedthisforNintendo'sprevioushomeconsole,theWiiU.) NintendodidnotimmediatelyrespondtoArsTechnica'squestionsaboutthesourceofthebreachoraboutwhatcredentialsandpersonaldetailsmayhavebeenaccessedbyintruders.Thus,weareunsurewhetherunauthorizedloginsarethankstoleakedpasswordsorwhatotherpersonaldetailsmayhaveleaked(includingemailaddresses,homeaddresses,phonenumbers,usernames,creditcards,orPayPalaccountinformation). Advertisement Inthemeantime,westronglyurgeanyonewhohaseverusedanonlineNintendoservicetologintoNintendo'saccountsportalinordertochangetheirpasswords,unlinkpaymentcredentials,andenabletwo-factorauthentication(2FA).Allofthesestepscanbeconductedatthe"security"sub-page,whoseURLis https://accounts.nintendo.com/security.Thisalsoincludesaconvenient"sign-inhistory"page.(Afterloggingintohisaccounttodoalloftheabove,Amadeosaidhecouldn'trecallwhetherhe'dusedhisNintendoaccountpasswordelsewherebutthathebelieveditwasunique.) It’snotlikeanattackercoulddoanythingtome,though,right? Evenifthisintrusionisincrediblylimited,usersshouldbecareful. Amadeoreportedthisintrusionwithashouldershrug,notingthatthecreditcardattachedtohisaccountwasalreadyexpired."Whatcan[ahijacker]evendo?Evenifthere'savalidcreditcard,Idon'tthinkyoucouldregisteranewSwitchtomyaccountandstartbuyinggames."Thisassumptionisfueled,inpart,byNintendo'sdraconianstanceonputtingasingleaccount'scredentialsontomultipleconsoles. Enlarge/Google'sautomatictranslationofthe"howtobuy"instructionsattheBrazilianNintendoeShop.Thegameinthebackground,PanzerDragoon:Remake,costsroughly$21inUScurrency.NintendoBrazil ButwithaNintendoaccount,thepossibilitiesopenabitwiderifanyvalidpaymentcredentialshavebeensaved.ThisisbecauseofhowNintendo"eShop"purchasesworkincertainregionsoftheworld.Inmanyterritories,youcanusetheeShoponaWebbrowser,butthiswillonlyallowyoutomakepurchasestothesoleNintendoSwitchassignedtoyouraccount.ChangetheeShopregiontosomewherelikeBrazil,ontheotherhand,andyou'llhavetheoptiontobuygames'codes—whichyoucanthenemail,share,andotherwiseclaimonanyotherNintendoSwitch'saccount. Advertisement FurtherReadingHackershijackNintendoSwitch,showLinuxloadedonconsoleAllofthisassumesthatthisroundofNintendoaccounthijackerseitherharvestedusernamesandtheirmatchingpasswords(whichisbad)orfoundawaytologintousers'accountswithoutanypasswordsattached(whichismuchworse).Thepotentialharmonlygetsworseiftheleakincludespaymentcredentialsorhomeaddressesandphonenumbers—butwe'restillwaitingtohearwhetherthoseleaked. Update,April21:Hoursafterthecompany'sEuropeanarmissuedastatementtoEurogamer,formallyaskingallofitsuserstoturnon2FA,aNintendoofAmericarepresentativeofferedanearlyidenticalstatementtoArsTechnica: WeareawareofreportsofunauthorizedaccesstosomeNintendoAccountsandweareinvestigatingthesituation.Inthemeantime,werecommendthatusersenabletwo-stepverificationfortheirNintendoAccountasinstructedhere:https://en-americas-support.nintendo.com/app/answers/detail/a_id/27496.Ifanyusersbecomeawareofunauthorizedactivity,weencouragethemtotakethestepsoutlinedathttps://en-americas-support.nintendo.com/app/answers/detail/a_id/47194orvisithttps://support.nintendo.comforgeneralsupport. ClickhereforNintendoofAmerica'sofficialguidanceaboutturningon2FAviaGoogleAuthenticator (thatmethodalsoworkswithotherauthenticationapps).NintendoofAmericadidnotofferanswerstoourquestionsaboutthenatureofthebreachorhowNintendoisplanningtoaddressit. Update,April24: Nintendohasnowissuedastatement(GoogleTranslate)confirmingupto160,000NintendoAccountshavebeenaffectedbytherecentbreach.Nicknames,dateofbirth,gender,country/region,andemailaddressinformationmayhavebeenviewablebyhackers,thecompanysays.There'snoindicationthatcreditcardinformationwasvisibletohackers,though,evenassomeaccountsmayhaveseenillegitimatepurchasesthroughlinkedpaymentinformation. NintendosaysithasdiscontinuedtheabilitytolinkoutdatedNintendoNetworkIDstoNintendoaccounts,whichappearstohavebeenthemainvectorforthecredential-stuffingattacks.CompromisedNintendoNetworkIDswillhavetheirpasswordsresetautomatically. Nintendocontinuestourgeitsuserstoactivatetwo-factorauthenticationontheiraccounts topreventanyfurtherbreaches. TheApril21updatehasbeenrevisedtoincludedirectcommentsfromNintendoofAmerica. PromotedComments LookslikeNintendo's2faisallbasedontheGoogleAuthenticatorapp.https://en-americas-support.nintendo.co...do-account SomeoneElseFromSomewherewrote:fromthearticle:"eitherharvestedusernamesandtheirmatchingpasswords(whichisbad)orfoundawaytologintousers'accountswithoutanypasswordsattached(whichismuchworse)"Idisagreeonthisone,Ithinkifsomeonehasharvestedusernames/passwordsfromNintendothat'sactually*muchworse*fortheendusers.Soooomanypeoplere-usetheirpasswords,andnextthingtheirgmailiscompromised,thenwhicheverbankissendingthememailsiscompromisedetc.Notsayingpeopleshouldre-usepasswords,butit'sjustwhathappens.WhatSammeantisacredential-stuffingattack,whichexploitspreviouslycompromisedpasswordsthatarereusedonNintendo,isn'tnearlyasbadashackershavingawaytobypassNintendoauthentication. readercomments 180 with126postersparticipating Sharethisstory ShareonFacebook ShareonTwitter ShareonReddit SamMachkovech Samhaswrittenaboutthecombinedworldsofartsandtechsincehisfirstsyndicatedcolumnlaunchedin1996.HecanregularlybefoundwearingamaskinSeattle,WA. [email protected] // Twitter@samred Advertisement Youmustloginorcreateanaccounttocomment. ChannelArsTechnica ←PreviousstoryNextstory→