Japanese gaming company Nintendo confirmed today that hackers gained unauthorized access to around 160,000 user accounts since the start of the month.
Through a statement published on its Japanese site [translated], the company responded to a wave of user complaints that started surfacing over last weekend.
As ZDNet reported on Monday, Nintendo users took to social media to complain that hackers were accessing their Nintendo accounts and then abusing attached payment card info to buy Fortnite currency and other Nintendo games.
At the time, a credential stuffing attack was ruled out of the question. Many users reported using strong passwords that were unique to their Nintendo profiles, and almost impossible to guess or have leaked anywhere online.
Account hacks taking place via NNID legacy system
Today, Nintendo confirmed that a credential stuffing attack isn’t the source of its recent troubles. Instead, the gaming company says hackers abused its NNID integration.
NNID stands for Nintendo Network ID (NNID), which is a legacy login system, used to manage accounts on the old Wii U or Nintendo 3DS platforms.
On newer Nintendo devices, users can link their old NNID accounts to a Nintendo profile. Nintendo didn’t specify what exactly was happening behind the scenes but said that hackers abused this integration to gain access to the main Nintendo profiles.
Nintendo said today it was deprecating the ability to log into main Nintendo accounts using the older NNID profiles.
Nintendo is triggering password resets
In addition, the company says it’s now contacting impacted users to prompt a password reset on both the main and NNID accounts. Nintendo is recommending that users set different passwords for each account, once the password reset kicks in. Users who use the same password for the Nintendo and NNID accounts right now are also advised to use different passwords, even if they haven’t been hacked yet.
Further, the company is also warning customers that hackers might have gained access to other account information, such as Nintendo nicknames, dates of birth, countries of origin, regions, and email addresses.
“We sincerely apologize for any inconvenience caused and concern to our customers and related parties,” the company said. “In the future, we will make further efforts to strengthen security and ensure safety so that similar events do not occur.”