Nintendo revealed on Tuesday, June 9, that the number of compromised Nintendo accounts has reached a total of 300,000 since April as hackers used others' Nintendo Network IDs (NNID) without permission.
An NNID is a unique username and password used mainly for older Nintendo 3DS and Wii U consoles while newer Nintendo Switch only requires users to create an account using an email address. However, users may link the account to their NNID.
Rumors of the hack first surfaced as early as March while Nintendo made announcements on April 24. The company released a statement saying there were 160,000 hacked accounts. However, Nintendo found an additional compromised account bringing the total to 300,000 as noted in the earlier statement, according to Tech Crunch.
Nintendo hacked accounts reaches 300,000; Here's how to set-up two-factor authentication
In the statement written in Japanese on its website, Nintendo said their continuous investigation on the matter led to finding more hacked accounts.
"We posted a report on unauthorized login on April 24th, but as a result of continuing the investigation after that, there were approximately 140,000 additional NNIDs that may have been accessed maliciously," Nintendo said in its statement.
The company said it has already contacted the affected customers and "reset the passwords for these 140,000 NNIDs and the Nintendo accounts that were linked with them."
Also, the processing of refunds on some breached accounts that were used to make unauthorized purchases is still on-going for each country, but most customers have been refunded already. The company also promised to add measures to strengthen its security.
It was only 160,000 breached NNID logins in April
In April, Nintendo users began complaining on social media about missing funds from their Nintendo accounts. Some users claimed their money was used to buy V-Bucks, the virtual currency for Fortnite.
Aside from logging in to play other users' games, hackers were also able to see the users' personal information like date of birth, country, or region as well as their email addresses. While no credit card information has been viewed, hackers could also access payment services linked to these accounts such as PayPal accounts or credit cards to purchase items or virtual money on Nintendo's platform.
"We sincerely apologize to our customers and related parties for any inconvenience and concern. In the future, we will make further efforts to strengthen security and ensure safety so that similar events do not occur," the company said in an April announcement.
Due to this breach, Nintendo also abolished the logging in function to a Nintendo account via NNID. Those who used NNID to log in were advised to use their Nintendo account email address instead.
Also, the company has performed sequential password resets for NNIDs and Nintendo accounts that may have been compromised. Affected users were sent emails and urged to change their passwords. They are also advised to check their accounts for any unauthorized purchases and request for a refund.
Meanwhile, Nintendo also advised users to set up two-factor authentication for an extra layer of security. This would require a second method of verification such as linking to another app that will generate a code for each login.
How to set-up two-factor authentication
- Sign in to your Nintendo Account.
- Choose Sign-in and security settings, then select 2-Step Verification. Click Edit.
- Click 2-Step Verification settings, then click Send email to have a verification code sent to the email address on file. Make sure the email address is correct. If not, click User Info and click Email address on the menu setting to change it.
- Enter the verification code from the email received and click Submit.
- Download and install the Google Authenticator app.
- Use the app to scan the QR code displayed on the Nintendo Account screen. A 6-digit verification code will appear on the device.
- Enter the verification code into the field under step 3 on the Nintendo Account screen, then Submit.
- Click Copy to copy all the codes that will appear and keep it in a safe place. This backup code will be required to log in when the user cannot access using the Google Authenticator app.
- Click I have saved the backup codes, then click OK.