Back in April, Nintendo confirmed that approximately 160,000 Nintendo accounts had been breached, and urged people to switch on two factor authentication. Soon after, the company announced it would be suspending Nintendo Network ID logins as it seemed that was the area from where the breach occurred. Now, it seems that the original number of 160,000 accounts may have been an understatement with Nintendo confirming the number may have in fact have been 300,000 after investigations found an additional 140,000 vulnerable accounts. Nintendo has stated that the company’s own servers were not breached but was a result of people using the same password across multiple accounts which may have been compromised, though the total number of vulnerable accounts was less than 1% of the total accounts.
In the statement back in April, Nintendo said:
We would like to provide an update on the recent incidents of unauthorised access to some Nintendo Accounts.
While we continue to investigate, we would like to reassure users that there is currently no evidence pointing towards a breach of Nintendo’s databases, servers or services. As one action in our ongoing investigation, we are discontinuing the ability to use a Nintendo Network ID to sign in to a Nintendo Account. All other options to sign-in to a Nintendo Account remain available.
As a further precaution, we will soon contact users about resetting passwords for Nintendo Network IDs and Nintendo Accounts that we have reason to believe were accessed without authorisation.
In addition, we also continue to strongly encourage users to enable two-step verification for their Nintendo Account as instructed here: How to set-up two-step verification for a Nintendo Account.
If any users become aware of unauthorised activity, we encourage them to take the steps outlined in the article about the Nintendo Account recovery process.
The people who have been affected in this new round of findings have also been contacted to change their account their details. Remember to keep all your passwords unique for every login and enable two factor authentication wherever it is possible.