In a post on its support site, Nintendo admits that “unauthorised access to some Nintendo Accounts” has occurred, but insists that no Nintendo servers or databases were breached.
The first rule of an information security breach is that you tell everyone who has been impacted as early as possible.
And this isn’t some “first rule of Fight Club” stuff. These are the rules laid out by numerous regulatory bodies around the world. But for the sake of being specific to the jurisdiction in which Thumbsticks finds itself, we’ll refer to GDPR (General Data Protection Regulations) and the ICO (that’s the Information Commissioner’s Office, the regulatory body that polices such things) and their guidelines on reporting breaches.
- The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
- If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
So in a circumstance where user accounts or data have been breached, then the organisation must report it to the ICO within 72 hours, and must report it to individuals potentially impacted – in this case, “rights and freedoms” relates to personal data and the potential for financial loss – without any “undue delay”.
Given that people have (anecdotally) been complaining of breaches to their Nintendo Accounts for a couple of weeks now, including unauthorised purchases that haven’t been refunded, that’s not looking very good for Nintendo. The developer and publisher has only today (April 24, 2020) issued a statement about the “unauthorised access to some Nintendo Accounts,” which reads as follows:
We would like to provide an update on the recent incidents of unauthorised access to some Nintendo Accounts.
While we continue to investigate, we would like to reassure users that there is currently no evidence pointing towards a breach of Nintendo’s databases, servers or services. As one action in our ongoing investigation, we are discontinuing the ability to use a Nintendo Network ID to sign in to a Nintendo Account. All other options to sign-in to a Nintendo Account remain available.
As a further precaution, we will soon contact users about resetting passwords for Nintendo Network IDs and Nintendo Accounts that we have reason to believe were accessed without authorisation.
In addition, we also continue to strongly encourage users to enable two-step verification for their Nintendo Account as instructed here: How to set-up two-step verification for a Nintendo Account.
If any users become aware of unauthorised activity, we encourage them to take the steps outlined in the article about the Nintendo Account recovery process.
During the investigation, in order to deter further attempts of unauthorised sign-ins, we will not reveal more information about the methods employed to gain unauthorised access.
We apologise for the inconvenience and concerns caused to our customers, and we will continue working hard to safeguard the security of our users’ data.
The good news is, there doesn’t appear to have been a breach of any of Nintendo’s core systems – including databases and servers containing personal and financial details – which, you may recall, is what happened to Sony’s PlayStation Network in 2011.
The bad news is that, while Nintendo hasn’t made details of the exploit public for obvious reasons, the attack vector will have been fairly large. This is because the unauthorised logins made use of the legacy Nintendo Network ID associated with users accounts, and basically everyone who signed up for a Nintendo account on the Wii U or Nintendo 3DS will have one.
To mitigate the vulnerability, Nintendo is disabling the ability to login with a Nintendo Network ID. But the real solution, the one that all users should do, is to enable multi-factor authentication (which Nintendo refers to as two-step verification) on their Nintendo account. This means you’ll have to use a code generated from your smartphone (using the Google Authenticator app) to login. This means your password on its own is effectively worthless, unless you also have in your possession the linked mobile phone to generate the authorisation codes.
Real talk, folks: you should enable multi-factor authentication on any service that supports it. If you wait until a breach comes around, like this one, you might find it’s already too late.