In a post via the official Japanese Nintendo website, Nintendo claims that hackers have been able to access an estimated 160,000 accounts through the Nintendo Network ID Login method. This allowed the unknown group to access user and password data for Nintendo Network ID’s, also know as NNID. They then used the information to gain access to 160,000 user accounts, making purchases through the saved card or Paypal information on the account.
For those unaware of what NNID’s are, they were login systems created for the WiiU and that of the 3DS. The Switch abandoned this method in favor of newer Online accounts, but those who have an NNID account can still log in with them. This has now caused Nintendo to make the following statement:
Thank you for your continued support of our products.
This time, using a login ID and password information obtained illegally by some means other than our service, a phenomenon that seems to have been made by impersonating the "Nintendo Network ID (* 1, NNID)" from around the beginning of April We have confirmed that it is occurring.
We also confirmed that there was an illegal login to some "Nintendo accounts" via NNID using this impersonation login.Therefore, we are announcing today that we have abolished the function of logging in to a Nintendo account via NNID .
In addition, passwords will be reset sequentially for NNIDs and Nintendo accounts that may have been illegally logged in .
Users that have seen their accounts abused, or at least show evidence of it, have been sent password resets. They have also been instructed to investigate their purchase history and report to Nintendo if it seems like the hackers gained access to the account and used it to make illegal purchases. Users affected by this intrusion should also apply 2-factor security to add an additional layer of protection to their accounts. While actual credit card information wasn’t part of the breach, information like Date of Birth, Country, Gender, and Email addresses are part of the stolen or collected information.
Nintendo’s statement of “obtained illegally by some means other than our service” means they haven’t shared how the attack happened or if this is only the start of something much bigger, possibly leading into their newer Switch accounts.