Throughout the month of April, and particularly this weekend, users of online Nintendo accounts on devices like the Switch have reported receiving email notices that their accounts have been accessed by outside parties. Our ability to verify these claims was bolstered by an unfortunate intrusion on Monday: the hijacking of an Ars Technica staffer’s account.
Roughly one hour before this article’s publication, Reviews Editor Ron Amadeo received a plain-text email notice from Nintendo, titled simply, “[Nintendo Account] New Sign-In.” The notice included the following sign-in details: a 5:25pm ET timestamp; the sign-in taking place via the Firefox browser (which Amadeo says “is not even installed” on any devices he used today), and a location estimate of “United States,” which the email says is “estimated based on the IP address used.” IP addresses generally pin users down to the county level when traced in the United States, and they are often as specific as individual cities or states.
The email caught Amadeo’s attention in part because all of his Nintendo devices are, in his words, “collecting dust.” Our cursory research for other affected users brought up threads on Reddit, Twitter, and ResetERA. One Twitter thread included a questionnaire with questions about possible account variables: whether users had logged into the service via a website (which Amadeo had not), whether users had tied their Epic Games or Fortnite credentials to the service (Amadeo had not), and other questions. He did answer “yes” to one question, which over 90 percent of respondents had, as well: use of the Nintendo Network ID service. (Amadeo had used this for Nintendo’s previous home console, the Wii U.)
Nintendo did not immediately respond to Ars Technica’s questions about the source of the breach or about what credentials and personal details may have been accessed by intruders. Thus, we are unsure whether unauthorized logins are thanks to leaked passwords or what other personal details may have leaked (including email addresses, home addresses, phone numbers, usernames, credit cards, or PayPal account information).
In the meantime, we strongly urge anyone who has ever used an online Nintendo service to log into Nintendo’s accounts portal in order to change their passwords, unlink payment credentials, and enable two-factor authorization (2FA). All of these steps can be conducted at the “security” sub-page, whose URL is https://accounts.nintendo.com/security. This also includes a convenient “sign-in history” page. (After logging into his account to do all of the above, Amadeo said he couldn’t recall whether he’d used his Nintendo account password elsewhere but that he believed it was unique.)
It’s not like an attacker could do anything to me, though, right?
Even if this intrusion is incredibly limited, users should be careful.
Amadeo reported this intrusion with a shoulder shrug, noting that the credit card attached to his account was already expired. “What can [a hijacker] even do? Even if there’s a valid credit card, I don’t think you could register a new Switch to my account and start buying games.” This assumption is fueled, in part, by Nintendo’s draconian stance on putting a single account’s credentials onto multiple consoles.
But with a Nintendo account, the possibilities open a bit wider if any valid payment credentials have been saved. This is because of how Nintendo “eShop” purchases work in certain regions of the world. In many territories, you can use the eShop on a Web browser, but this will only allow you to make purchases to the sole Nintendo Switch assigned to your account. Change the eShop region to somewhere like Brazil, on the other hand, and you’ll have the option to buy games’ codes—which you can then email, share, and otherwise claim on any other Nintendo Switch’s account.
All of this assumes that this round of Nintendo account hijackers either harvested usernames and their matching passwords (which is bad) or found a way to log into users’ accounts without any passwords attached (which is much worse). The potential harm only gets worse if the leak includes payment credentials or home addresses and phone numbers—but we’re still waiting to hear whether those leaked.