Nintendo has begun restricting log-ins and resetting affected passwords after admitting that as many as 160,000 accounts may have been illegally accessed by hackers.
The Japanese gaming giant said it was disabling access to accounts via the legacy Nintendo Network ID (NNID), which was associated with its now-defunct Nintendo 3DS handsets and Wii U consoles.
That’s because, since the beginning of April, hackers have been using NNIDs “obtained illegally by some means other than our service” to access user accounts and buy digital items using stored cards.
Unauthorized third parties may also have been able to view personal information including name, date of birth, gender, country/region and email address.
Aside from doing away with NNID log-ins to Nintendo accounts, Nintendo is resetting passwords that may have been used illegally.
The firm urged users not to share passwords across multiple accounts and to check whether their bank cards may have been used fraudulently.
“Organizations need to pay attention to not only points of access in production environments but also all their deprecated and development endpoints,” said Cequence Security’s Jason Kent.
“These often-forgotten and unsecured APIs can be used by hackers to gain side-door access into systems to achieve the same access to confidential information and monetary gain as if they went through the front door. Unfortunately, most organizations lack full visibility of their APIs, making it a challenge to adequately secure them. "
Chris DeRamus, CTO of DivvyCloud, hypothesized that the attack may have been the result of credential stuffing. The gaming industry accounted for around 22% of attacks spotted by Akamai over a 17-month period.
“To prevent unauthorized access to accounts, users should diversify passwords and usernames across different accounts, regularly change those passwords and enable multi-factor authentication (MFA) when possible for an extra layer of security,” he added.