Throughout the month of April, and particularly this weekend, users of online Nintendo accounts on devices like the Switch have reported receiving email notices that their accounts have been accessed by outside parties. Our ability to verify these claims was bolstered by an unfortunate intrusion on Monday: the hijacking of an Ars Technica staffer's account.
Roughly one hour before this article's publication, Reviews Editor Ron Amadeo received a plain-text email notice from Nintendo, titled simply, "[Nintendo Account] New Sign-In." The notice included the following sign-in details: a 5:25pm ET timestamp; the sign-in taking place via the Firefox browser (which Amadeo says "is not even installed" on any devices he used today), and a location estimate of "United States," which the email says is "estimated based on the IP address used." IP addresses generally pin users down to the county level when traced in the United States, and they are often as specific as individual cities or states.
Nintendo did not immediately respond to Ars Technica's questions about the source of the breach or about what credentials and personal details may have been accessed by intruders. Thus, we are unsure whether unauthorized logins are thanks to leaked passwords or what other personal details may have leaked (including email addresses, home addresses, phone numbers, usernames, credit cards, or PayPal account information).
In the meantime, we strongly urge anyone who has ever used an online Nintendo service to log into Nintendo's accounts portal in order to change their passwords, unlink payment credentials, and enable two-factor authentication (2FA). All of these steps can be conducted at the "security" sub-page, whose URL is Nintendo Account.