160k Nintendo Gaming Accounts Breached in Cyber Attack : What Went Wrong
On April 2022, over 160,000 to 300,000 Nintendo Network accounts were breached by a major cyber attack. There are no confirmed cases as to how many of those accounts were used to buy games and other digital items on the Nintendo Store but it is clear that this has become a major data breach incident in gaming since the Zynga breach of 2022. Nintendo has since then issued an apology for the incident. Every account that was victimized during that day was given a PSA from Nintendo themselves, speaking about the trespassing of hackers into their main server.
What Were Exposed?
Personal information like real name, home address, email address and even purchase history were found within the exposed data. While there were no records of any sort of exploitation or purchases without the account owner’s consent, the victims of this cybercrime were in a constant state of paranoia, knowing that their names and vital info were seen in a public region of the server.
A Word from the Bitglass CTO
According to Bitglass CTO Anurag Kahol, “Nintendo’s recent security incident further demonstrates how the hundred-billion-dollar video game industry is a growing target for cybercriminals.“
“Personally identifiable information (PII) and financial information are often connected to users’ gaming accounts, which is valuable data that attackers can use to commit financial fraud, identity theft, and trade on dark web marketplaces. Popularly, attackers will compromise and steal valid, high ranking gaming accounts and sell them for a generous profit.“
Even to this day, there was never an official report who caused this disruption or why the culprit did it. Kahol added, “How the hackers collected the logins to launch a series of credential stuffing attacks against the impacted Nintendo accounts has yet to be confirmed, but this incident still underscores why organizations must have full visibility and control over their data to prevent unauthorized access to sensitive customer information.“
Knowing that this can happen to any other gaming company, Kahol warned that “To safeguard customer data, organizations should leverage multi-faceted solutions that enforce real-time access control, detect misconfigurations, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent data leakage.“
“Additionally, basic password protection is a must for organizations looking to protect their data. Organizations must authenticate their users in order to ensure they are who they say they are, before granting them access to their systems. Fortunately, multi-factor authentication (MFA) and user and entity behavior analytics (UEBA) are two tools that can help companies defend their data.“
A Lesson for Nintendo’s Tech Team
Nintendo vows to never let this happen again. The company confirmed on June 2022 that there were 300,000 accounts breached during the May 2022 incident. While this was not a complete hack, the fact that a data breach occured made the Nintendo community outraged.
According to a June news article on Forbes, “It’s essential to understand what has gone on here, not least to best learn from the mistakes made. Firstly, there is no evidence to suggest that Nintendo itself has been hacked. The confirmation statement does say (machine translated from the original Japanese) that Nintendo will ‘strive to further strengthen security and ensure safety so that similar events do not occur.’ Unfortunately, the Nintendo confirmation doesn’t establish precisely how the accounts were breached, but there are some important clues to be had. By which I mean that because Nintendo has said that login ID and passwords were ‘obtained illegally from other than our service by some other means,’ and refers to ‘spoofed’ logins occurring, it’s likely we are talking about one of three alternatives.“
Fortunately, the incident has now been settled and all accounts are now fully secured according to Nintendo, thanks to their improved Cyber Security system.
What Could Happen if Hackers Got a Hold of an Account
There are 3 major possibilities of how a hacker can get your account credentials:
- Phishing
- Credential stuffing attack
- Hard breach
Phishing is when cyber criminals fool you into logging in with your game’s account name and password on a counterfeit website, allowing them to seize your information when you sign in.
Credential stuffing attack is the act of tracing your account name and password due to reusing the same passwords on various websites.
Hard breach is when the attacker can quickly find out about your account due to your very weak password.
Companies engage in attack simulations called red teaming, usually carried out by in-house teams and frequently supplemented with penetration testing services from external cybersecurity firms such as Aptive. This is done to safeguard against unauthorized access to systems or applications by attackers who have no prior knowledge of the organization’s environment.
Nintendo Players Staying on Guard
Ever since the incident, Nintendo made a mandatory set-up where every user must undergo a new log-in system. Of course, everyone was obliged to comply but that does not mean everything is now 100% safe.
