Hackers gained access to hundreds of thousands of Nintendo accounts in April this year. Nintendo confirmed on Friday 24 April that 160,000 accounts have been broken since the beginning of the month. Since then, the Japanese video game company has once again fixed security vulnerabilities.
The hackers were able to infiltrate Nintendo systems via a legacy system called Nintendo Network ID (NNID). Players used NNIDs to access online content on Wii U and 3DS, the consoles that have since been discontinued. Nintendo maintained support for the NNID system to allow older players to log in to newer consoles in the same way.
It is unclear how much was stolen in this breach, but it poses a significant security risk. More than 53 million people worldwide own a Nintendo Switch, which is not the only console in the company with online features. Further exploitation of the system’s vulnerabilities could affect millions of people.
During the month, there were rumours of a security breach as users noticed unusual account behaviour. Players reported that funds were missing from their accounts. Some found unauthorized purchases of Fortnite’s virtual currency, V-Bucks, on their accounts.
So far, one of the hackers was captured by the FBI.
How Nintendo Managed the Disaster
Nintendo is also taking steps to provide its users with more comprehensive security. It has asked players to set up a two-stage verification process for logging into their accounts. Since password theft is such a common problem, this additional step is advisable for anyone with a password-protected account or document.
Nintendo did not reveal how the hackers got these NNIDs, but explained that it wasn’t from their services. By accessing the users’ NNIDs, the hackers were able to gain access to their Nintendo accounts. These accounts contain information such as credit card numbers and PayPal credentials for online purchases.
Apart from financial information, users’ accounts contain sensitive personal information. Birthdays, countries of residence and email addresses are all contained in players’ Nintendo profiles.
The video game giant stated that it will take further steps to increase its security in the future. They didn’t say what exactly these steps would be, but they probably include testing for additional vulnerabilities.
In response to the break, Nintendo has discontinued NNID support. Users must now use their email addresses to log in to their Nintendo accounts. The company has also reset the passwords of affected users and notified them by email about the incident.
Strong Cybersecurity is a Must
In order to protect your data and that of your customers, you must constantly adapt cybersecurity. If Nintendo had introduced more comprehensive measures than it did the rest of its company, this might not have happened. Hackers are always finding new ways to infiltrate systems, so you have to find new ways to protect them.
Nintendo’s data breach was caused by an easily overlooked vulnerability: legacy systems. Your company may be introducing new security measures all the time, but they may not cover older parts of the business process. Any security upgrade that doesn’t take into account the old software and hardware is incomplete.
See Related topics: How to manage ransom attacks against your remote workers
What does all this mean for CISOs in other companies? Nintendo is not the first company that has experienced such a breach, and probably won’t be the last. In 2022 alone, there were more than 1,400 data breaches in which more than 164 million records and documents were disclosed.
Regular penetration testing may be necessary to find these vulnerabilities. Nintendo probably didn’t think about how the NNID system could be a vulnerability until too late. You may not know where your vulnerabilities are, but penetration testing can help you find them.
The Nintendo Violation also underlines the importance of multi-factor authentication. Without it, hackers may only need one password to gain access to your systems.