Sophos Cloud Optix
Hackers bombarded Nintendo for a month with 15.46 million bogus login attempts, out of which 23,926 struck the jackpot, exposing names, addresses, phone numbers and other personal details of corresponding Club Nintendo customers.
The attack lasted from 9 June to 4 July, Nintendo said in a press release issued on Friday.
The breach was eventually discovered on 2 July – last Tuesday.
Company spokesman Yasuhiro Minagawa told Network World that the login attempts were limited to Japanese accounts.
Nintendo, which is based in Kyoto, has suspended accounts and passwords used in the brute-force attack and is urging members whose data may have been breached to change their passwords, according to The Japan Times News.
Club Nintendo is a customer loyalty program that lets users earn rewards in return for consumer feedback and loyalty. Customers can earn credits or “coins” that can get them goodies such as playing cards, tote bags, extended warranties on certain products or downloadables.
The machine translation of the press release is, as they tend to be, garbled. But Sophos’s Chester Wisniewski has a hunch that the following passage indicates that the hackers might have thrown gobs of already-leaked passwords – from the likes of Sony, LinkedIn, Zappos et al. – at Club Nintendo.
"This time, membership site that we run " Club Nintendo that an unauthorized login of 23,926 cases were performed using the ID · password that seems Regarding ", and flowing out of the other services were found." [emphasis added]
I was still waiting to hear back from Nintendo’s public relations people at the time this article posted.
If his interpretation is correct, it would mean that the Nintendo accounts that were hacked were casualties of earlier public disclosures of stolen logins from other breaches.
It would also mean that at least 23,926 people didn’t listen when they were told to change passwords after those earlier hacks.
We’re still waiting to find out if that’s true. But to stay on the safe side, all Nintendo users should probably change their passwords, just in case. After all, Nintendo stopped the attack, but those who haven’t changed old passwords may still be vulnerable.
Nintendo is only the latest gaming company to be victimized.
Last week, Ubisoft had to jump on the change-your-password-NOW bandwagon after learning its account database had been hacked.
Of course, the mother of all gaming hacks was the PlayStation Network breach of 2011, which saw the personal data of 70 million users compromised and forced the network to shutter its doors for a week.
Gaming. Yikes. It’s all fun and games until somebody gets pwned.
Fortunately, it looks like both Ubisoft and Nintendo, at least, didn’t store credit card data with account information.
But that might not help matters much for any affected Nintendo customers who use the same name and password for other sites. Breaching one set of login data can be the key to accessing all of a customer’s sensitive financial data in such a case.
It’s just one more example of why we shouldn’t repeat passwords on multiple sites.
If you know of gamers (or people in general, of course!) who are guilty of password reuse, do them a favor:
Tell them to hit pause on whatever game they’re playing. Then, urge them to change their passwords to ones that are unique and hard-to-guess.
Teach them about password management software, such as LastPass or KeePass.
Using a password manager can both generate good passwords and store them so we don’t have to remember them, write them down, carve them into our desks or commit password crimes with stick-it notes.
Only then can any of us hit “resume” with at least a bit more confidence that we won’t get targeted and bilked – or, if we do, that the damage is quarantined.
Images of Nintendo sign and password login courtesy of Shutterstock.
It's long been known that games with clan websites have been known to steal re-used passwords to hijack gaming accounts, but i believe this the first case of cross gaming company password re-use attack.
what's the solution? 2FA on a loyalty site? too inconvenient.
Dilemma indeed…
User education about password re-use. (Ya gotta try…)
Don’t let automated tools bruteforce like that?
For the love of…monitoring/notice of a threshold of invalid logins? To not notice this going on for nearly a month is silly. Almost certainly they noticed only after customers complained about their accounts being popped.
Force a few rules for passwords (length, complexity) just to eliminate easy guessing. Maybe even force password changes after industry breaches or x months/years.
But yeah, it’s still a dilemma. It’s a loyalty site, and probably not a terribly high value for anyone involved. How much effort do you put into back-end protection and how much do you ask of your users before you upend the value to the business?
The high value is probably not the the program itself, but it's cache of associated usernames and passwords that probably weren't as well protected as they should have been precisely *because* the program would be perceived to have little value. But since password reuse is common, they've probably just gotten access to a lot more valuable accounts.
I’ve confirmed with a Japanese-native friend that the press release does indeed imply that hacked passwords from third-party services (i.e. password sharing) responsible for the unauthorized Nintendo account logins.
Whew! Its just the loyalty program site. But I hope they can whip their users into shape so it doesn't happen again.