In our last episode of “don’t reuse your passwords for every service,” Nintendo announced that bad actors attempted to compromise 160,000 accounts. Now the company is back (Japanese language) to say the problem may extend to yet another 140,000 accounts.
Just as before, Nintendo hasn’t suffered a direct breach. The initial problem stemmed from the company’s decision to allow users to link newer Nintendo Accounts with older Nintendo IDs (NNID). That allowed you to bring information forward from previous systems. But, it also opened users to vulnerabilities, specifically users who reuse passwords.
Rather than try to breach Nintendo directly, hackers will rely on credential stuffing. They’ll grab stolen data from other known breaches, and try to reuse those email and password combinations to access accounts on new sites.
That allowed them to log into somebody else’s Nintendo account and access their Paypal payment details to make fraudulent purchases. Nintendo shut down NNID linking already, but now it’s saying another 140,000 accounts were vulnerable. The problem is, again, password reuse. Nintendo is proactively resetting passwords and contacting affected users.
Password reuse is a scourge that puts users at risk, and more companies (like Nest, Ring, and now Nintendo) are pledging to require two-factor authentication to help stop the problem. But for your own sake, if you haven’t already, you should start using a password manager and stop reusing passwords.