Current suspects include: Wario, Bowser Jr. —

160,000 Nintendo accounts were compromised—including one of ours [Updated]

Nintendo has since confirmed breach: "160,000" affected, personal information leaked.

Video game plumber Mario stands in front of My Nintendo logo.
Enlarge / It's-a me, your Nintendo account's hijacker!

Throughout the month of April, and particularly this weekend, users of online Nintendo accounts on devices like the Switch have reported receiving email notices that their accounts have been accessed by outside parties. Our ability to verify these claims was bolstered by an unfortunate intrusion on Monday: the hijacking of an Ars Technica staffer's account.

Roughly one hour before this article's publication, Reviews Editor Ron Amadeo received a plain-text email notice from Nintendo, titled simply, "[Nintendo Account] New Sign-In." The notice included the following sign-in details: a 5:25pm ET timestamp; the sign-in taking place via the Firefox browser (which Amadeo says "is not even installed" on any devices he used today), and a location estimate of "United States," which the email says is "estimated based on the IP address used." IP addresses generally pin users down to the county level when traced in the United States, and they are often as specific as individual cities or states.

The email caught Amadeo's attention in part because all of his Nintendo devices are, in his words, "collecting dust." Our cursory research for other affected users brought up threads on Reddit, Twitter, and ResetERA. One Twitter thread included a questionnaire with questions about possible account variables: whether users had logged in to the service via a website (which Amadeo had not), whether users had tied their Epic Games or Fortnite credentials to the service (Amadeo had not), and other questions. He did answer "yes" to one question, which over 90 percent of respondents had, as well: use of the Nintendo Network ID service. (Amadeo had used this for Nintendo's previous home console, the Wii U.)

Nintendo did not immediately respond to Ars Technica's questions about the source of the breach or about what credentials and personal details may have been accessed by intruders. Thus, we are unsure whether unauthorized logins are thanks to leaked passwords or what other personal details may have leaked (including email addresses, home addresses, phone numbers, usernames, credit cards, or PayPal account information).

In the meantime, we strongly urge anyone who has ever used an online Nintendo service to log in to Nintendo's accounts portal in order to change their passwords, unlink payment credentials, and enable two-factor authentication (2FA). All of these steps can be conducted at the "security" sub-page, whose URL is https://accounts.nintendo.com/security. This also includes a convenient "sign-in history" page. (After logging in to his account to do all of the above, Amadeo said he couldn't recall whether he'd used his Nintendo account password elsewhere but that he believed it was unique.)

It’s not like an attacker could do anything to me, though, right?

Even if this intrusion is incredibly limited, users should be careful.

Amadeo reported this intrusion with a shoulder shrug, noting that the credit card attached to his account was already expired. "What can [a hijacker] even do? Even if there's a valid credit card, I don't think you could register a new Switch to my account and start buying games." This assumption is fueled, in part, by Nintendo's draconian stance on putting a single account's credentials onto multiple consoles.

Google's automatic translation of the "how to buy" instructions at the Brazilian Nintendo eShop. The game in the background, <em>Panzer Dragoon: Remake</em>, costs roughly $21 in US currency.
Enlarge / Google's automatic translation of the "how to buy" instructions at the Brazilian Nintendo eShop. The game in the background, Panzer Dragoon: Remake, costs roughly $21 in US currency.
Nintendo Brazil

But with a Nintendo account, the possibilities open a bit wider if any valid payment credentials have been saved. This is because of how Nintendo "eShop" purchases work in certain regions of the world. In many territories, you can use the eShop on a Web browser, but this will only allow you to make purchases to the sole Nintendo Switch assigned to your account. Change the eShop region to somewhere like Brazil, on the other hand, and you'll have the option to buy games' codes—which you can then email, share, and otherwise claim on any other Nintendo Switch's account.

All of this assumes that this round of Nintendo account hijackers either harvested usernames and their matching passwords (which is bad) or found a way to log in to users' accounts without any passwords attached (which is much worse). The potential harm only gets worse if the leak includes payment credentials or home addresses and phone numbers—but we're still waiting to hear whether those leaked.

Update, April 21: Hours after the company's European arm issued a statement to Eurogamer, formally asking all of its users to turn on 2FA, a Nintendo of America representative offered a nearly identical statement to Ars Technica:

We are aware of reports of unauthorized access to some Nintendo Accounts and we are investigating the situation. In the meantime, we recommend that users enable two-step verification for their Nintendo Account as instructed here: https://en-americas-support.nintendo.com/app/answers/detail/a_id/27496. If any users become aware of unauthorized activity, we encourage them to take the steps outlined at https://en-americas-support.nintendo.com/app/answers/detail/a_id/47194 or visit https://support.nintendo.com for general support.

Click here for Nintendo of America's official guidance about turning on 2FA via Google Authenticator (that method also works with other authentication apps). Nintendo of America did not offer answers to our questions about the nature of the breach or how Nintendo is planning to address it.

Update, April 24: Nintendo has now issued a statement (Google Translate) confirming up to 160,000 Nintendo Accounts have been affected by the recent breach. Nicknames, date of birth, gender, country/region, and email address information may have been viewable by hackers, the company says. There's no indication that credit card information was visible to hackers, though, even as some accounts may have seen illegitimate purchases through linked payment information.

Nintendo says it has discontinued the ability to link outdated Nintendo Network IDs to Nintendo accounts, which appears to have been the main vector for the credential-stuffing attacks. Compromised Nintendo Network IDs will have their passwords reset automatically.

Nintendo continues to urge its users to activate two-factor authentication on their accounts to prevent any further breaches.

The April 21 update has been revised to include direct comments from Nintendo of America.

Channel Ars Technica