Yesterday, Nintendo released a new statement confirming that an additional 140,000 user accounts were exposed after the Nintendo Network ID (NNID) system was compromised in April 2020.
Before confirmation of the security incident, the company received multiple reports from users reporting unauthorized logins to their accounts, and even fraudulent use of stored credit card data.
In an initial statement on April 24, Nintendo acknowledged that around 160,000 accounts were affected by a security incident that led to the leak of personal identifiable information such as nicknames, date of birth, country, region, email address and gender.
Users were asked to immediately reset their account passwords and enable two-factor authentication, and the company removed the faulty login function using the NNID.
Nearly two months after their first report, the number of compromised accounts has now reached 300,000.
“We posted a report on unauthorized login on April 24th, but as a result of continuing the investigation after that, there were approximately 140,000 additional NNIDs that may have been accessed maliciously,” the company said. “We have also reset the passwords for these 140,000 NNIDs and the Nintendo accounts that were linked with them, and contacted the customer separately. At the same time, we are taking additional security measures.”
The company also said it is in the process of refunding affected users, and that less than 1% of all NNIDs illegally accessed may have also suffered fraudulent transactions through their Nintendo account.
While credential stuffing was named the prime vector leading to the data breach, the culprits responsible for this fraudulent activity remain unnamed. Credential stuffing attacks can lead to account takeover, and victims that use the same password for each online account can suffer great financial losses.
This is why it’s wise to use separate email and password when you create a new account. If creating a new email address is not for you, create a strong and unique password and use multi-factor authentication to add an additional layer of security.