The last couple of days have seen a growing number of reports that Nintendo Accounts have been hijacked, with the Japanese manufacturer now actively investigating the issue and offering advice to those affected.
It’s now more important than ever to ensure that you have a secure password that is unique to the service, and to use Two Factor Authentication (2FA), which Nintendo have implemented via Google Authenticator.
To know if you’ve been affected, you simply need to check your emails, with Nintendo Account logins triggering an automated email when logins on new devices occur. This can obviously be a console, or simply from a web browser, with most reported instances featuring web browsers that aren’t typically used, such as Firefox in the case of Amadeo, and a location estimate.
You can also log in yourself at Nintendo’s accounts website, and from there view the Sign-in History under the Security section. This is also where you’ll be able to enable 2FA.
While complete account hijacks don’t seem to be taking place – the first console to access the eShop via a Switch is automatically attached to that console, and must be deactivated on that device – there’s still the possibility that accounts can be used to make illegitimate purchases.
Responding to a request for comment from Eurogamer, a Nintendo spokesperson said:
We are aware of reports of unauthorised access to some Nintendo Accounts and we are investigating the situation.
In the meantime, we recommend that users enable two-step verification for their Nintendo Account as instructed here: https://www.nintendo.co.uk/Support/Nintendo-Switch/How-to-Set-Up-2-Step-Verification-for-a-Nintendo-Account-1466677.html.
If any users become aware of unauthorised activity, we encourage them to take the steps outlined at https://www.nintendo.co.uk/Support/Nintendo-Account/Nintendo-Account-Recovery-Process-1658054.html or visit https://support.nintendo.com for general support.
There’s still plenty of speculation as to how accounts are being accessed, with enterprising internet users setting up a questionnaire to try and and narrow down the possibilities.
With 2/3rds of respondents noting an unusual log in in recent times, and roughly 2/3rds of those said that they used a “memorable” password and not a randomly generated string from a password locker app – Amadeo asserts that his password was unique to Nintendo. However, while it’s a small pool of just under 200 affected users, 90% of them also say that they had linked a Nintendo Network ID from Nintendo’s prior online infrastructure for the Wii U and 3DS. This still runs alongside the new Nintendo Account system that was launched for the Switch, and could be providing a backdoor.
It’s a curious case, but there’s no need to panic right now. Just make sure that you double check your Nintendo Account’s security settings and you should be fine.