Nintendo Breach: What to Know and Expert Commentary

Recently, Japanese video game giant Nintendo disclosed they suffered from a cyber breach. Unidentified hackers gained unauthorized access to 160,000 online accounts; this exposed the personally identifying information (PII) of thousands, although they could not access financial information.

The company released a support page in Japanese detailing that hackers “obtained illegally” the IDs and passwords of affected accounts; the attack appears to center on the Nintendo Network ID. Also, Nintendo disclosed that hackers attempted to log into an unspecified number of accounts using the stolen information. 

In response, Nintendo temporarily disabled all users’ login portal to their online Nintendo accounts. Further, the organization plans to reset all of the affected and potentially passwords; users should expect an email if their password was changed.  

Data exposed in the Nintendo breach may include names, dates of birth, country, gender, and email addresses. However, no payment information appears affected. At the same time, Nintendo did suggest users avoid reusing their Nintendo passwords and suggested implementing two-factor or multifactor authentication.  

Experts Comment on the Nintendo Breach

Ben Goodman

Ben Goodman is CISSP and SVP of Global Business and Corporate Development at ForgeRock.

“Four out of five global data breaches are caused by weak or stolen passwords. Password and username combinations have been the primary login method for years, but as users create more accounts, they fall into the malpractice of reusing the same passwords and usernames across all (or most) accounts to ease the pain of having to remember multiple sets of login credentials. Even if users opt to diversify their login credentials with a password manager, there is still a password and username in place to access password managers for cybercriminals to target.”

“Incidents like this demonstrate why passwords need to become a thing of the past. By adopting a passwordless approach, organizations can bring the same, effortless login experiences users enjoy on their smartphones to every digital touchpoint. Additionally, by centering their security strategies around identity, organizations can ensure security by pushing suspicious users to additional verification.”

Anurag Kahol

Anurag Kahol is CTO of Bitglass.

“Nintendo’s recent security incident further demonstrates how the hundred-billion-dollar video game industry is a growing target for cybercriminals. Personally identifiable information (PII) and financial information are often connected to users’ gaming accounts, which is valuable data that attackers can use to commit financial fraud, identity theft, and trade on dark web marketplaces. Popularly, attackers will compromise and steal valid, high ranking gaming accounts and sell them for a generous profit.”

“How the hackers collected the logins to launch a series of credential stuffing attacks against the impacted Nintendo accounts has yet to be confirmed, but this incident still underscores why organizations must have full visibility and control over their data to prevent unauthorized access to sensitive customer information.”

“To safeguard customer data, organizations should leverage multi-faceted solutions that enforce real-time access control, detect misconfigurations, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent data leakage. Additionally, basic password protection is a must for organizations looking to protect their data.” 

“Organizations must authenticate their users in order to ensure they are who they say they are, before granting them access to their systems. Fortunately, multi-factor authentication (MFA) and user and entity behavior analytics (UEBA) are two tools that can help companies defend their data.”

How to Learn More

Thanks to our cybersecurity experts for their thoughts on the Nintendo Breach. For more information on preventing these kinds of attacks, check out our Identity Management Buyer’s Guide.