The "Club Nintendo" site has been the victim of mass log-in attempts that have been occurring since June 9, the company said, with hackers using a third-party list of user names and passwords to try to find matches. Consumers often use the same user name and password combination across services, meaning that if hackers find a password matching a user name for one log in, they have a reasonable expectation that it would be the same for a different account using the same user ID.
Nintendo said in a press release that nearly 15.5 million logins were attempted. Of those, 23,926 were successful.
Nintendo said it first became aware of the unauthorized access last week after the large number of unknown login errors on the site began to snowball. The company suspended the accounts that were accessed illicitly (all Japanese), and sent emails asking their users to reset their passwords.
Fortunately, Club Nintendo doesn’t handle financial information. Registered Nintendo customers can earn points that can be redeemed for rewards. But the incident demonstrates just how easily bad actors can crack passwords, especially if they have pilfered lists from other sites. As always, users should select passwords for each application or website that are unique and not common.
Nintendo isn’t the only Japanese gaming company to find itself the target of hackers. The most recent large-scale attack was a 2011 incident, when hackers compromised the personal data of around 77 million Sony PlayStation users, attacking the PlayStation Network, the Qriocity service and Sony Online Entertainment, causing a PSN outage for more than a month. The breach prompted a class-action suit brought by victims seeking financial recompense for what they alleged was Sony's negligence in data security, firewall readiness and data encryption, which was dismissed last autumn.