Around 300,000 Nintendo Network ID (NNID) accounts were compromised in 2020 due to a massive data breach. Between 2016 and 2019 multiple Nintendo servers were hacked and information about video games, gaming consoles, and developer tools was stolen.
Nintendo data breach in 2020
On April 24, 2020 Nintendo notified that about 160,000 Nintendo Network ID (NNID) accounts were compromised since the beginning of April. Later it appeared that 140,000 additional NNIDs that may have been accessed maliciously. Thus, the total number of compromised Nintendo accounts is around 300,000 in this single data breach — almost twice more than it was initially reported. According to Nintendo less than 1% of all NNIDs were affected by this data breach. NNID is associated with Nintendo Wii U and 3DS — old Nintendo consoles.
What information is exposed?
The information which may have been been viewed by a third party includes nickname, date of birth, country/region, email address. However, accounts for which two-step verification is set are excluded. Although credit card number is not among the information that was exposed, Nintendo disclosed there was a risk that the balance and registered credit card or PayPal of those compromised accounts may be illegally used at My Nintendo Store or Nintendo eShop.
It means that some users could see unexpected purchases of items such as Fortnite V-Bucks, as well as Nintendo games and other digital items. Some users were complaining in social media:
Nintendo response to the data breach
As a response to this data breach Nintendo have reset passwords for the compromised accounts and suspended the function of logging in to a Nintendo account via NNID. They also sent email notifications to all the compromised users. The official Nintendo statement says that “During the investigation, in order to deter further attempts of unauthorised sign-ins, we will not reveal more information about the methods employed to gain unauthorised access”.
Was Nintendo hacked?
Experts from SpyCloud believe this leak did not involve Nintendo data breach. They conclude that attackers used a combination of crimeware and older breach data to identify and take over accounts with vulnerable logins. It seems like the affected Nintendo accounts were vulnerable because users had chosen passwords that had been exposed in previous data breaches. According to TechRepublic, Nintendo would neither confirm nor deny SpyCloud’s findings.
Nintendo hacked in 2016
On January 31, 2020 a Californian man who hacked into Nintendo servers to steal video games and other proprietary information pleaded guilty, according to the Department of Justice press release. Back in 2016 Ryan S. Hernandez, aka Ryan West, who used the online moniker “RyanRocks,” and his associate used phishing techniques to steal credentials of a Nintendo employee. Those credentials were used to gain access to confidential Nintendo files related to its consoles and games.
Following the investigation in October 2017 FBI agents contacted Hernandez and his parents, and the hacker promised to stop any further malicious activity. However, between June 2018 and June 2019, Hernandez hacked into multiple Nintendo servers again and stole confidential information about various video games, gaming consoles, and developer tools.
Some of the stolen information was leaked to others, and Hernandez bragged about his hacking exploits on Twitter and Discord. He also discussed possible Nintendo network vulnerabilities at his chat forum called “Ryan’s Underground Hangout”. Following his arrest, Hernandez agreed to pay $259,323 in restitution to Nintendo for the remediation costs caused by his conduct.