Nintendo confirmed that up to 160,000 Nintendo accounts were accessed in a huge privacy breach. If you were affected, your private data, such as nickname, email, date of birth, sex and country / region, were potentially viewed by third parties.
Credit card data has not been accessed, although, as reported by Eurogamer earlier this week, linked payment methods have been used in some cases to make unauthorized purchases.
In a statement on the Japanese support website, Nintendo confirmed that the problem was related to the Nintendo Network ID (NNID) login system – one of several methods used to log into your Nintendo account.
NNID usernames and passwords were obtained illegally outside of Nintendo's service, the company said, and then used to access accounts and make purchases.
As a result, login to your Nintendo account using the NNID method has been disabled. All affected NNID passwords will be reset.
Three days ago, Nintendo told Eurogamer that it was "investigating" a growing wave of reports that we heard from Switch owners saying their accounts had been accessed.
Some people whose accounts have been accessed have been charged to their accounts using linked payment methods for digital items up to £ 100 – most commonly, Fortnite's VBuck currency. Today, Nintendo said hacker attempts have been underway since early April.
Nintendo account users will now be contacted by email to reset their passwords with a unique password not used elsewhere. Nintendo recommends that you use a different password for your NNID and Nintendo account and set up two-factor authentication.
Nintendo published a statement in English in today's announcement that its account system suffered a privacy breach that affected up to 160,000 people.
In the statement, Nintendo says that there was currently no evidence to suggest that Nintendo's databases, servers or services were accessed. This again suggests that the login data used to access accounts was obtained elsewhere – a tactic known as filling in credentials.
To protect accounts going forward, Nintendo no longer details how the attack occurred.
Finally, as we reported earlier, login via Nintendo Network ID has been disabled and all users are highly recommended to enable two-factor authentication immediately.
Nintendo's statement follows in full:
We would like to provide an update on recent incidents of unauthorized access to some Nintendo accounts.
As we continue to investigate, we would like to reassure users that there is currently no evidence to suggest a breach of Nintendo's databases, servers or services. As an action in our ongoing investigation, we have discontinued the ability to use a Nintendo Network ID to sign into a Nintendo Account. All other options for logging into a Nintendo account remain available.
As an added precaution, we will soon be contacting users about resetting passwords for Nintendo Network IDs and Nintendo Accounts that we believe have been accessed without authorization.
In addition, we also continue to strongly encourage users to enable 2-step verification for their Nintendo account, as instructed here: How to set up 2-step verification for a Nintendo account .
If any user becomes aware of unauthorized activity, we recommend that you follow the steps outlined in Nintendo account recovery process .
During the investigation, in order to prevent further attempts at unauthorized logins, we will not disclose more information about the methods employed to obtain unauthorized access.
We apologize for the inconvenience and concerns caused to our customers and will continue to work hard to protect the security of our users' data.