Nintendo gamers have been reporting suspicious activities on their account for the past few weeks. According to the complaints aired out on Reddit and Twitter, the attackers logged into their accounts and used the connected payment card to buy digital goods such as V-Bucks, a in-game currency used in Fortnite.
Attackers abused a legacy Nintendo Network ID (NNID) login system and gained access to over 160,000 user accounts.
Nintendo said in a Friday statement, which is in Japanese, that the attackers have been abusing its NNID legacy login system since the beginning of April to hack into the accounts. Over 160,000 user accounts were affected in this breach.
NNID was primarily used for the Nintendo 3DS handheld and Wii U consoles, both of which are now discontinued. This is different from a Nintendo Account, which is used for company’s most recent gaming console, the Nintendo Switch.
A NNID can be linked to a Nintendo Account and used as a login option. If the attackers were able to access a linked NNID, they could then access the Nintendo account. From there, they would have access to payment methods (via PayPal or payment cards) necessary for making in-game purchases.
The company did not provide further detail about how the attackers had access the NNID accounts other than saying the accounts were illegally obtained by some other means. It has now disabled the ability to a Nintendo account using NNID.
Nintendo further warned that other than accessing the payment methods, the attackers may have also been able to access users’ nicknames, date of birth, countries and email address. Credit card data on the other hand was not accessed.
In the statement, the Japanese electronic giant stated they will also be resetting password for the affected accounts. Users will be notified by email to reset their Nintendo Network ID (NNID) and Nintendo account. Players are also advised to set up two-factor authentication to add another layer of security to their accounts.