Video gaming firm Nintendo has warned customers to not reuse passwords on different services after releasing an increased tally of compromised accounts.
Back in April the firm first reported that it had identified 160,000 compromised accounts. Now, in an update, following an investigation by the firm, Nintendo revealed that it was adding an extra 160,000 – bringing the total to 300,000.
It seems the hackers were able to gain access to the accounts because they used the simple technique of using credentials that had previously been exposed through other data breaches.
That’s why it’s so important not to use the same password on your Nintendo account as your LinkedIn account, or Myspace account, or Zynga account… or indeed any other online account.
In short, this wouldn’t be fair to describe as a failing on Nintendo’s part. The problem lies with users who have made the mistake of not following password best practices.
According to the company, whoever compromised the Nintendo Network ID (NNID) accounts would have been able to access personal information such as email addresses, genders, nickname, region or country, and dates of birth, but not customers’ payment card details.
NNID accounts were introduced with the Wii U and Nintendo 3DS, but later migrated to Nintendo accounts so that they could be used to make purchases from the company’s online store.
Nintendo say it is in the process of refunding affected customers, said to number less than 1% of all NNID accounts in existence.
In addition, Nintendo has announced that it will no longer allow users to log into a Nintendo account via NNID.
My advice? You should never reuse passwords on the internet.
Instead, use a password manager that generates long, complex, and unique passwords for you… and then stores them securely.
Oh, and also enable two-step verification on your Nintendo account.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
One comment on “Nintendo warns 300,000 accounts have been hacked since early April”
I use a different DOB on every non financial site and then record that date in my password manager (keepass).
It is nothing more than an "ID Check" for authentication checks anyway. Not much different than you mothers' maiden name.