Hackers bombarded Nintendo for a month with 15.46 million bogus login attempts, out of which 23,926 struck the jackpot, exposing names, addresses, phone numbers and other personal details of corresponding Club Nintendo customers.
The attack lasted from 9 June to 4 July, Nintendo said in a press release issued on Friday.
The breach was eventually discovered on 2 July - last Tuesday.
Company spokesman Yasuhiro Minagawa told Network World that the login attempts were limited to Japanese accounts.
Nintendo, which is based in Kyoto, has suspended accounts and passwords used in the brute-force attack and is urging members whose data may have been breached to change their passwords, according to The Japan Times News.
Club Nintendo is a customer loyalty program that lets users earn rewards in return for consumer feedback and loyalty. Customers can earn credits or "coins" that can get them goodies such as playing cards, tote bags, extended warranties on certain products or downloadables.
The machine translation of the press release is, as they tend to be, garbled. But Sophos's Chester Wisniewski has a hunch that the following passage indicates that the hackers might have thrown gobs of already-leaked passwords - from the likes of Sony, LinkedIn, Zappos et al. - at Club Nintendo.
"This time, membership site that we run " Club Nintendo that an unauthorized login of 23,926 cases were performed using the ID · password that seems Regarding ", and flowing out of the other services were found." [emphasis added]
I was still waiting to hear back from Nintendo's public relations people at the time this article posted.
If his interpretation is correct, it would mean that the Nintendo accounts that were hacked were casualties of earlier public disclosures of stolen logins from other breaches.
It would also mean that at least 23,926 people didn't listen when they were told to change passwords after those earlier hacks.
We're still waiting to find out if that's true. But to stay on the safe side, all Nintendo users should probably change their passwords, just in case. After all, Nintendo stopped the attack, but those who haven't changed old passwords may still be vulnerable.
Nintendo is only the latest gaming company to be victimized.
Last week, Ubisoft had to jump on the change-your-password-NOW bandwagon after learning its account database had been hacked.
Of course, the mother of all gaming hacks was the PlayStation Network breach of 2011, which saw the personal data of 70 million users compromised and forced the network to shutter its doors for a week.
Gaming. Yikes. It's all fun and games until somebody gets pwned.
Fortunately, it looks like both Ubisoft and Nintendo, at least, didn't store credit card data with account information.
But that might not help matters much for any affected Nintendo customers who use the same name and password for other sites. Breaching one set of login data can be the key to accessing all of a customer's sensitive financial data in such a case.
It's just one more example of why we shouldn't repeat passwords on multiple sites.
If you know of gamers (or people in general, of course!) who are guilty of password reuse, do them a favor:
Tell them to hit pause on whatever game they're playing. Then, urge them to change their passwords to ones that are unique and hard-to-guess.
Teach them about password management software, such as LastPass or KeePass.
Using a password manager can both generate good passwords and store them so we don't have to remember them, write them down, carve them into our desks or commit password crimes with stick-it notes.
Only then can any of us hit "resume" with at least a bit more confidence that we won't get targeted and bilked - or, if we do, that the damage is quarantined.