UPDATE 2: One of our readers claimed on Twitter (providing screenshots of the illicit attempts) that “nearly 100 people“ accessed their account over several days.
The screenshots of their accounts log-in history show their account was accessed from Ukraine, Taiwan, Argentina, Indonesia, Armenia, Ireland, Turkey, the United Arab Emirates, Singapore, the Dominican Republic, Suadi Arabia, Brazil South Korea, Paraguay, Armenia, Denmark, Canada, the Netherlands, the United States, Germany, and Austria- all from April 20th to 22nd.
This would suggest either a VPN, bots, or a very wide-spread operation. Due to the multiple log-ins into an account that did not have Paypal or credit card information, we wonder if the process was automated by a bot, or other computer program.
UPDATE: Nintendo of Japan have stated that 160,000 accounts have been accessed illicitly.
The statement on the Japanese website explains that access was obtained via “impersonating the ‘Nintendo Network ID’,” from “around the begging of April.” (Translation: Google Translate). These “impersonations” granted some access to user’s Nintendo Accounts.
Continuing, the statement matches elements of the European and UK statement- that Nintendo Network ID log-ins to access the Nintendo Account are disabled, that the passwords of those who could have been affected have been reset- along with encouraging users not to use the same passwords for the two accounts.
However, the Japanese statement reveals more information about how many have been affected. It states that the number of accounts that “may have received unauthorized login” are “About 160,000.”
While usernames, date of birth, country or region, and email addresses may have been seen by third parties, the Japanese statement claims no credit card number information was viewed. This would be consistent with claims of linked Pay Pay accounts being used to buy V-Bucks.
We will keep you informed as we learn more.
Nintendo of Europe and the UK have stated that there is “currently no evidence pointing towards a breach of Nintendo’s databases” or being hacked.
Previously we reported that Nintendo of Japan had urged its users to use two-step verification, after “In April, the number of inquiries stating that ‘You have been unauthorizedly logged into your Nintendo Account and your credit card has been illegally used’ has been increasing.” (Translation: Google Translate)
We then saw western users stating that their Nintendo accounts had been illicitly accessed from places such as Iraq, Poland, and Chile. Linked Paypal accounts were then used to buy $100 worth of V-Bucks for Fortnite.
However, there had been no confirmation on the issue from Nintendo in the west. Both the official US and European Nintendo Twitter accounts tweeted on April 9th about two-step verification. However, neither tweet made any sign of urgency or there being an issue.
As mentioned in our previous article, The news feed on the Nintendo Switch console also discussed two-step verification features for US users. It also lacks any sense of urgency, sounding more akin to reminding users the feature exists.
Later, Nintendo confirmed to EuroGamer that they were “aware of reports of unauthorised access to some Nintendo Accounts and we are investigating the situation.”
Now, Nintendo of Europe and the UK have openly discussed the issue. Tweets from both official Twitter accounts [1, 2] stating “In response to recent incidents related to some Nintendo Accounts, it is no longer possible to sign into a Nintendo Account using a Nintendo Network ID.”
Previously the Nintendo Network ID and Nintendo Accounts were separate- the former used for online gaming and with the Nintendo 3DS and Wii U, while the latter was used as a rewards program.
Nintendo gradually introduced features to combine these accounts on the Nintendo Switch, including letting users log into their Nintendo Account using their Nintendo Network ID.
The tweets also leas this this statement. While they deny a hack has occurred, they have acted in numerous ways to help counteract future unauthorised access attempts.
“We would like to provide an update on the recent incidents of unauthorised access to some Nintendo Accounts.
While we continue to investigate, we would like to reassure users that there is currently no evidence pointing towards a breach of Nintendo’s databases, servers or services. As one action in our ongoing investigation, we are discontinuing the ability to use a Nintendo Network ID to sign in to a Nintendo Account. All other options to sign-in to a Nintendo Account remain available.
As a further precaution, we will soon contact users about resetting passwords for Nintendo Network IDs and Nintendo Accounts that we have reason to believe were accessed without authorisation.
In addition, we also continue to strongly encourage users to enable two-step verification for their Nintendo Account as instructed here: How to set-up two-step verification for a Nintendo Account.
If any users become aware of unauthorised activity, we encourage them to take the steps outlined in the article about the Nintendo Account recovery process.
During the investigation, in order to deter further attempts of unauthorised sign-ins, we will not reveal more information about the methods employed to gain unauthorised access.
We apologise for the inconvenience and concerns caused to our customers, and we will continue working hard to safeguard the security of our users’ data.”