What Happened? Nintendo

Data Hacked to Buy Fortnite Currency

By Najmeh Tima

“What Happened?” is an occasional feature by Digital Privacy News that looks back on some of the tech industry’s biggest data breaches last year.

Nintendo has experienced several hacks in recent years — but one of its biggest came last year, when the personal identifiable information (PII) of 300,000 users was leaked in a scheme to buy Fortnite cryptocurrency.

“People have lost their life savings, have had counterfeit passports and other identity cards created using their information,” Nick Espinosa, an Illinois intelligence analyst, told Digital Privacy News, “which can then get them into legal trouble if the identity thief commits a crime while impersonating them.”

Ben Goodman, senior vice president of ForgeRock, a digital identity-platform provider in San Francisco, noted that the leaked PII could have been used in other malicious ways.

“The loss of the PII itself may weaponize a bad actor for further hacking,” he said, “to steal identities, reset passwords and take over accounts for other sites or impersonate an individual.

“This data in the wrong hands is dangerous.”

Nintendo first disclosed the attack last April 24, providing no details of how the breach was discovered or who the hackers were. It did say that this PII was leaked: nicknames, dates of birth, countries-regions and email addresses.

Then, in a June 9 update, Nintendo said that usernames and genders also were leaked.

But for several months before the first disclosure, Nintendo users posted on Twitter and Reddit how their PayPal accounts were being used to buy hundreds of dollars in games — or in “V-bucks,” a main form of currency in Fortnite and other online video games. 

“People have lost their life savings, have had counterfeit passports and other identity cards created using their information.”

Nick Espinosa, Illinois intelligence analyst.

The company said last April: “We deeply apologize for any inconvenience and concern caused to our customers and related parties.

“In the future, we will strive to further strengthen security and ensure safety so that similar events do not occur.”

Nintendo, the Japanese company with offices in Redmond, Wash., did not return repeated requests for comment from Digital Privacy News.

Espinosa noted that “each data breach is ‘unique’ and in some cases, it is a better strategy to publicly announce the suspects, especially in instances of one nation-state attacking another nation-state.” 

Espinosa is the founder of Security Fanatics in South Barrington, Ill.

June Announcement

In the June announcement, Nintendo said that around the beginning of April 2020, hackers obtained the login IDs and password information apparently via “spoofed” logins and Nintendo Network IDs (NNIDs). 

According to Espinosa, “spoofing” occurs when an employee or user falls for a phishing attack, or when an employee or user employs the same password for Nintendo as for the dark web, which allows a hacker to access it.

Nintendo said that “name, date of birth, gender, country-region, email address of Nintendo accounts linked to NNID with no two-step verification” also might have been viewed by a third party in the attack. 

The company then abolished the function to log in to vulnerable Nintendo accounts via NNIDs — and it reset passwords sequentially for NNIDs and Nintendo accounts that might have been logged in illegally because of the incident. 

“In the future, we will strive to further strengthen security and ensure safety so that similar events do not occur.”

Nintendo Co. Ltd.

While otherwise remaining silent about the attack in the announcement, Nintendo advised users: “Avoid reusing the password you have already used for other services and set different passwords for your NNID and Nintendo account.” 

In response to the initial user disclosures on Twitter and Reddit, before announcing the breach, Nintendo cautioned users to enable two-factor authentication (2FA) on their accounts, suggesting this might prevent intrusions.

“Considering Nintendo’s infrastructure and users around the world,” Espinosa told Digital Privacy News, “I guarantee you Nintendo is constantly under cyberattack.”

He noted that “aging of the cybersecurity design, like zero-trust architecture, human error or lack of management of cybersecurity operations” could have been factors at play in last year’s attack — as well as in others in recent years.

Several Solutions 

For a large user-based company like Nintendo, upgrading to multifactor authentication would be costly and time-consuming, Espinosa told Digital Privacy News.

“Like many companies, Nintendo only really focuses on improving cybersecurity in this manner after breaches occur,” he observed.

Citing his personal experience with Nintendo products, Espinosa explained that “the option for 2FA or multifactor authentication (MFA) is required by ‘default’ when a user has historically signed up for a Nintendo account to use a Nintendo gaming console or portable device.”

Large platforms want people to “quickly and easily” sign up, he said.

“Putting a new user through a more time-consuming security process is bad for business,” Espinosa continued. “Why, however, Nintendo chose to do that, I cannot speak to.

“It’s beyond important to have 2FA on everything,” he said. “If a password is stolen, even a complex one, then 2FA becomes the defense for the account that prevents malicious access.” 

ForgeRock’s Goodman, however, called for passwordless solutions, arguing that “advancements in identity technology make it possible to eliminate usernames and passwords.

“This data in the wrong hands is dangerous.”

Ben Goodman, ForgeRock.

“It improves user security while also preserving and providing a great user experience.”

2FA is a good solution that greatly increases the security of login, but it isn’t a panacea, Goodman cautioned.

He, instead, suggested “biometric authentication” and standards like web authentication (WebAuthN) that could eliminate 2FA and enable passwordless solutions.

Extra Motivation for Hackers

After the incident, Nintendo sent new passwords to those whose accounts were hacked and eliminated log-in through NNIDs.

“Phishing through email is also a common attack vector,” Goodman told Digital Privacy News. “Using passwords is inherently not secure.

“Organizations should focus on eliminating them and going passwordless altogether.”

Najmeh Tima is a writer in Iran.

Major Nintendo Breaches

Here are some of the major hacks at Nintendo in the last decade:

  • Hacker group Lulz Security breached the company in 2011 to warn of repairing security holes. 
  • From June to July 2013, Nintendo reported 23,926 successful fraudulent log-in attempts.
  • In 2018, the English hacker and security researcher, Zammis Clark, 24, through virtual private networks (VPNs), gained access to Nintendo’s 2,365 usernames and passwords. Nintendo estimated damages of $913,000 to $1.8 million. Clark was sentenced to 15 months’ imprisonment, suspended for 18 months. 
  • In 2019, the FBI found numerous digital devices containing thousands of Nintendo’s files in the home of a stalking hacker, Ryan S. Hernandez, 21, of Palmdale, Calif., who had been hacking Nintendo since 2016. He pleaded guilty to two charges in January and agreed to pay $259,323 in restitution.

“The level of vigilance a company like Nintendo has to maintain is rather staggering,” Nick Espinosa, an Illinois intelligence analyst, told Digital Privacy News.

“Nintendo has to do everything right for their security all the time in order to be secure,” he said. “The criminals just have to find a way in once.”

— Najmeh Tima