upnorth

Moderator
Verified
Staff member
Malware Hunter
Throughout the month of April, and particularly this weekend, users of online Nintendo accounts on devices like the Switch have reported receiving email notices that their accounts have been accessed by outside parties. Our ability to verify these claims was bolstered by an unfortunate intrusion on Monday: the hijacking of an Ars Technica staffer's account.

Roughly one hour before this article's publication, Reviews Editor Ron Amadeo received a plain-text email notice from Nintendo, titled simply, "[Nintendo Account] New Sign-In." The notice included the following sign-in details: a 5:25pm ET timestamp; the sign-in taking place via the Firefox browser (which Amadeo says "is not even installed" on any devices he used today), and a location estimate of "United States," which the email says is "estimated based on the IP address used." IP addresses generally pin users down to the county level when traced in the United States, and they are often as specific as individual cities or states.
Nintendo did not immediately respond to Ars Technica's questions about the source of the breach or about what credentials and personal details may have been accessed by intruders. Thus, we are unsure whether unauthorized logins are thanks to leaked passwords or what other personal details may have leaked (including email addresses, home addresses, phone numbers, usernames, credit cards, or PayPal account information).

In the meantime, we strongly urge anyone who has ever used an online Nintendo service to log into Nintendo's accounts portal in order to change their passwords, unlink payment credentials, and enable two-factor authentication (2FA). All of these steps can be conducted at the "security" sub-page, whose URL is Nintendo Account.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
A wave of account takeovers hitting Nintendo users over the last few weeks continued largely unabated on Tuesday despite Ars’ coverage of the mass hijackings a day earlier. Nintendo isn’t saying why or how so many accounts continue to get compromised, often within hours of hacked users resetting passwords. A likely reason for the sustained hijacking spree: Nintendo’s failure to warn of the risks posed by legacy accounts.
 

Spawn

Administrator
Verified
Staff member
change their passwords, unlink payment credentials, and enable two-factor authentication (2FA).
After the PSN Hack back in 2011, never allowing payment details to be stored is great idea.

Pros:
  • Prevents Auto renewals - stops the system from renewing existing subscriptions without user consent
  • Prevents new purchases - which usually have strict refund policies
  • Prevents wallet top-ups - non-refundable purchases
  • Prevents hackers from using your money - stops any unauthorised purchases, less valuable to them (?)
  • Prevents family members from using your money - stops "accidental" in-game MTX purchases

And enabling 2FA is a no-brainer.

Does Nintendo rely on SMS or Authenticator App?
 
Top