The attack, which resulted in 23,926 accounts being successfully accessed by the cybercriminals and personal information exposed, does not appear to have relied upon a security flaw in Nintendo’s site. Instead the security breach appears to have been achieved by a rudimentary brute-force attack – perhaps because users were using poorly-chosen passwords or were using passwords that have been used on previously hacked websites.
Fortunately, as in the recent attack against Ubisoft, the financial information of customers was not compromised. However, personal information such as names, addresses and phone numbers of Nintendo fans have been exposed.
What’s the point of breaking into accounts on a site like Club Nintendo?
Well, not only could you potentially harvest yourself a database of names and email contact details for games players (which could later be used for socially-engineered phishing and malware campaigns), but these sites also incorporate loyalty card points systems which can be used in exchange for games-related merchandise.
The Register reports that Nintendo has reset the passwords of affected users, but victims would be wise to check that they are also not using the same password elsewhere.
What is perhaps most alarming is the length of time that the Club Nintendo website was being bombarded by attempts to break into customer accounts. It’s hard to imagine that a sustained attack like that could have gone unnoticed for nearly one month and suggests poor stewardship by Nintendo’s security team.
It’s the latest in a long line of bad news for Nintendo, which is suffering from poor sales of its Wii U console and appears to be losing momentum in the video games market against the likes of the Microsoft XBOX and the far less pricey casual games available for the Apple iTouch, iPhone and iPad.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.