Nintendo announced today that around 160,000 accounts were compromised since the beginning of April. Hackers were able to abuse this integration and compromise the accounts using Nintendo’s legacy Nintendo Network ID (NNID) system, which allows people to log into their Nintendo Account using their NNID credentials. While Nintendo did not specify how the hackers were abusing NNID, they did announce that they are disabling the ability to authenticate using NNID. They also warned that hackers might have gained access to more Personally Identifiable Information (PII) other than credit card information, such as birthdate, region, country of origin, etc.
While Nintendo has issued password resets for all affected users, they are also recommending that all users who used the same password for their NNID and main Nintendo account should also change their passwords just in case. Binary Defense recommends using a password manager to create and manage unique passwords for all services, and to enable Multi-Factor Authentication (MFA) for all accounts that support it. This prevents attackers from pivoting through various services using the same password. Nintendo Online supports “2-Step Verification” to protect accounts.