How 160,000 Nintendo Accounts Were Hacked and Sold

Available to WrapPRO members

“Consumer logins are compromised all the time and this is a small piece of a much bigger ecosystem” SpyCloud spokesperson Julia Kisielius says

Photo: Getty Images

When Nintendo recently announced that more than 160,000 individual Nintendo accounts were compromised and personal information leaked, it was thanks to a breach discovered by security research firm SpyCloud. SpyCloud said the compromised Nintendo accounts were being offered on the dark web for as high as $35 per login, driven by increased demand for Nintendo’s Switch consoles and recently released “Animal Crossing: New Horizons” title. SpyCloud researchers determined a hacker was exploiting what’s known as “credential stuffing,” a technique for rapidly checking stolen credentials against online logins in an attempt to break in. The crimeware, dubbed by SpyCloud as “Nintendo Checker”, is a highly complex customized platform written for Microsoft Windows that can specifically check thousands of compromised logins in minutes to find the right one and open a Nintendo account. “Tools like this make it possible for criminals to check individual accounts,” SpyCloud product marketing manager and spokesperson Julia Kisielius told TheWrap. “It’s a common practice for criminals to take a list of passwords that came from a previous data breach and then feed that into a specific type of crimeware software to try rapidly logging into user accounts.” One of the most vulnerable account sign-in options, the outdated Nintendo Network ID, was the most affected and Nintendo opted to shut it down altogether. “All other options to sign-in to a Nintendo Account remain available,” Nintendo clarified. Nintendo also said it immediately alerted all affected users of their account breach and encouraged them to change their passwords and enable two-factor authentication. “We (apologize) for the inconvenience and concerns caused to our customers, and we will continue working hard to safeguard the security of our users’ data,” Nintendo U.K. said in a statement last week. Kisielius said SpyCloud researchers didn’t detect any sign of attempts to break into Nintedo’s corporate holdings. “We found no evidence that Nintendo itself, its employees or its databases were compromised,” Kisielius said. Instead, the attacks were targeting individual customers, and the payment, address, and game information stored on their accounts. SpyCloud routinely monitors web traffic and logins for large companies, alerting them if data is potentially compromised and contracts for some companies to safeguard against data breaches. The company told TheWrap Nintendo is not one of its customers. The Nintendo Checker software SpyCloud examined was coded in a programming language used by most Windows computers. It had a few unique features that suggested its creator was an experienced online criminal, Kisielius said. “We have seen evidence that would suggest this person is involved in other criminal activity and have responsibly disclosed our findings to law enforcement,” Kisielius said, adding that the person responsible could be a self-taught coder. Nintendo did not respond to requests for comment. One detail SpyCloud spotted in the criminal’s code was a license authentication process to let new users activate it after purchase, a method used by many traditional software products. There was also a very sophisticated and unusual feature — a “kill switch” located in the code that lets its creator wipe the program from any computer its on in seconds without trace to keep out unwanted observers. The program was also coded to be highly resistant to debugging attempts or troubleshooting, Kisielius said. Nintendo can expect future breaches, especially as its services and hardware grow in popularity. Its most recent game release, “Animal Crossing: New Horizons” prompted many consumers to buy the Switch in order to play the game with friends. SpyCloud researchers were able to determine that a site that hosted part of the Nintendo Checker source code was last updated March 20, the same day “Animal Crossing: New Horizons” was released. SpyCloud obtained screenshots of attempted illegal account transactions that show accounts being offered for $35, promising access to games including the new “Animal Crossing,” among others. In some cases the email addresses associated with these accounts were changed in order to lock out the original user. SpyCloud also found screenshots of people asking where to buy cracked Nintendo accounts without alerting the company, which has a habit of banning any account it suspects is compromised. The issue of compromised account data is not a problem unique to Nintendo. Consumer logins are compromised all the time and this is a small piece of a much bigger ecosystem” of online crime, Kisielius said. “160,000 accounts doesn’t strike me as that high in comparison.”