Crooks hijack 160K Nintendo accounts to make digital purchases

Nintendo has confirmed that more than 160,000 user accounts have been hacked.

Cyber crooks are accessing the accounts from remote locations around the globe and in some cases are using them to buy hundreds of pounds worth of digital goods from Nintendo’s online store.

An army of users had reported suspicious activity on their account over the past week, and Nintendo confirmed their worst fears on Friday.

The Japanese gaming giant wrote in a blog post that the “illegal” logins began in early April.

They peaked over the weekend, with many users reporting on social media that they’d received email alerts warning them of unknown IP addresses accessing their Nintendo profiles.

Nintendo admitted that 160,000 accounts which use a Nintendo Network ID to log in may have been hacked.

The company said the hack was not a result of a break-in of its own servers. It declined to disclose how cyber crooks were able to access so many accounts.

“While we continue to investigate, we would like to reassure users that there is currently no evidence pointing towards a breach of Nintendo’s databases, servers or services,” the company said.

“During the investigation, in order to deter further attempts of unauthorized sign-ins, we will not reveal more information about the methods employed to gain unauthorized access.”

Players have been warned that information linked to their accounts, such as their date of birth and email address, may now be in the hands of hackers.

Apparently, people’s credit card and other payment details remain secure.

It’s not clear how much money hackers may have spent using store credit or PayPal login details linked to people’s accounts.

Hackers appear to be buying hundreds of pounds worth of items, such as Fornite V-Bucks, and selling them online at a cut price.

One user on Twitter reported losing $300 in a single day on unauthorized purchases of Nintendo games.

They wrote: “I get home from work and during the drive home my Nintendo account was hacked and they spent 300 dollars on fortnite.”

Another tweeted: “Someone hacked my PayPal and spent $200 on Nintendo games?!”

“Even my Paypal support guy got hit with a hacked Nintendo account,” another user wrote. “I can’t make this s**t up.”

Some users have suggested that people’s usernames and passwords may have been guessed using credentials leaked in data breaches at other sites.

Nintendo said it has now blocked the option to login using a Nintendo Network ID.

Those who have previously logged in using that system will be forced to change their password.

The Sun has reached out to Nintendo for comment.

How to Set Up 2-Step Verification for a Nintendo Account

The best way to secure yourself against hackers is to activate 2-Step Verification on your Nintendo account.

This adds an additional layer of security that can help prevent unauthorized access to your account.

You can also review your sign in history and report suspicious activity by visiting this link.

Here’s what Nintendo says on its website:

  1. Go to https://accounts.nintendo.com and sign in to your Nintendo Account.
  2. Select “Sign-in and security settings”, then scroll down to “Two-Step Verification” and click “Edit”.
  3. Click “Enable two-step verification”.
  4. Click “Submit” to have a verification code sent to the email address shown.
  5. If the email address is incorrect, click “Change” next to the “Email Address” menu setting under “User Information” to change it.
  6. Enter the verification code from the e-mail, then select “Submit”.
  7. Install the Google Authenticator or any other authentication app on your smart device.
  8. Google Authenticator is a free app, available through Google Play (Android) and the App Store (iOS).
  9. Use the smart device app to scan the QR code displayed on your Nintendo Account screen.
  10. A 6-digit verification code will appear on your smart device. Enter the verification code into the field under step 3 on the Nintendo Account screen, then select “Submit”.
  11. A list of backup codes will appear. Click “Copy” to copy all the codes, then paste them somewhere safe.
  12. A backup code will be required for sign-in if you don’t have access to the Google Authenticator app. Make sure to keep these somewhere safe.
  13. You can use these (one time each) if you do not have access to the Google Authenticator app. (Please note that the backup process may differ depending on the authentication app you use.)
  14. Click “Backup codes saved”, then “OK”.

(Once set, you can return to the “Two-step verification settings” section to review the backup codes and remove the 2-step restriction.)