Incident of the Week: Nintendo Investigating 160,000 Account Breaches

Add bookmark
Kayla Matthews
Kayla Matthews
05/01/2020

What had happened?

Hackers have gained access to hundreds of thousands of Nintendo accounts this April. Nintendo confirmed on Friday, April 24, that 160,000 accounts were breached since the beginning of the month. The Japanese video game company has since readdressed weak points in its security.

Rumors of a breach circulated throughout the month as users noticed unusual account behavior. Players reported that funds went missing from their accounts. Some found unauthorized purchases of Fortnite's virtual currency, V-bucks, on their account history.

It is unclear how much was stolen in this breach, but it represents a considerable security risk. Worldwide, more than 53 million people own a Nintendo Switch, which is not the company's only console with online functions. Further exploitation of the system's vulnerabilities could affect millions of people.

How Hackers Got In

With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.

The hackers were able to infiltrate Nintendo's systems through a legacy system called the Nintendo Network ID (NNID). Players used NNIDs to access online content on the Wii U and 3DS, now-discontinued consoles. Nintendo kept support for the NNID system to allow older players to log into newer consoles the same way.

See Related: Phishing Attacks Work Because… Humans

Nintendo did not reveal how the hackers got these NNIDs but stated it was not from their services. By accessing users' NNIDs, the hackers could then gain access to their Nintendo accounts. These accounts hold information like credit card numbers and PayPal credentials for making online purchases. 

Apart from financial data, users' accounts contain sensitive personal information. Birthdays, countries of residence and email addresses are all included in players' Nintendo profiles. 

What was Nintendo's Response?

In response to the breach, Nintendo has discontinued NNID support. Users will have to use their email address to log into their Nintendo accounts now. The company also reset the affected user's passwords and emailed them about the incident.

Nintendo is also taking steps to provide more well-rounded security for their users. It has asked players to set up two-step verification for logging into their accounts. Since password theft is such a common issue, this extra step is advisable for anyone with any password-protected account or document.

The video game giant stated they would take further steps to strengthen their security in the future. They did not say what exactly these steps would be, but they likely involve testing for more vulnerabilities. 

How can you Protect Your Business From Similar Breaches?

What does all of this mean for CISOs at other companies? Nintendo is not the first company to experience a breach like this, and likely will not be the last. In 2019 alone, there were more than 1,400 data breaches, exposing more than 164 million records and documents.

The Nintendo data breach came from an easily-overlookable vulnerability: legacy systems. Your company may continually introduce new security measures, but these may not cover older parts of the company's process. Any security upgrade that does not account for legacy software and hardware is incomplete.

See Related: How to Manage Ransomware Attacks Against Your Remote Workforce

Periodic penetration testing may be necessary for finding these gaps in security. Nintendo likely did not consider how the NNID system could be a vulnerability until it was too late. You may not know where your weak points are, but penetration testing can help you find them.

The Nintendo breach also emphasizes the importance of multi-factor authentication. Without it, hackers may only need a password to get access to your systems.

Strong Cyber Security is Fluid

To protect your data and that of your clients, you need ever-adapting cyber security. If Nintendo had introduced more well-rounded measures as it advanced the rest of its company, this might not have happened. Hackers are always finding new ways to infiltrate systems, so you need to find new ways of protecting them.

Read More: Incident Of The Week

Photo courtesy: StockPhotoSecrets