Hackers have gained access to hundreds of thousands of Nintendo accounts this April. Nintendo confirmed on Friday, April 24, that 160,000 accounts were breached since the beginning of the month. The Japanese video game company has since readdressed weak points in its security.
Rumors of a breach circulated throughout the month as users noticed unusual account behavior. Players reported that funds went missing from their accounts. Some found unauthorized purchases of Fortnite's virtual currency, V-bucks, on their account history.
It's unclear how much was stolen in this breach, but it represents a considerable security risk. Worldwide, more than 53 million people own a Nintendo Switch, which isn't the company's only console with online functions. Further exploitation of the system's vulnerabilities could affect millions of people.
The hackers were able to infiltrate Nintendo's systems through a legacy system called the Nintendo Network ID (NNID). Players used NNIDs to access online content on the Wii U and 3DS, now-discontinued consoles. Nintendo kept support for the NNID system to allow older players to log into newer consoles the same way.
Nintendo did not reveal how the hackers got these NNIDs but stated it wasn't from their services. By accessing users' NNIDs, the hackers could then gain access to their Nintendo accounts. These accounts hold information like credit card numbers and PayPal credentials for making online purchases.
Apart from financial data, users' accounts contain sensitive personal information. Birthdays, countries of residence and email addresses are all included in players' Nintendo profiles.
In response to the breach, Nintendo has discontinued NNID support. Users will have to use their email address to log into their Nintendo accounts now. The company also reset the affected user's passwords and emailed them about the incident.
Nintendo is also taking steps to provide more well-rounded security for their users. It has asked players to set up two-step verification for logging into their accounts. Since password theft is such a common issue, this extra step is advisable for anyone with any password-protected account or document.
The video game giant stated they would take further steps to strengthen their security in the future. They didn't say what exactly these steps would be, but they likely involve testing for more vulnerabilities.
What does all of this mean for CISOs at other companies? Nintendo isn't the first company to experience a breach like this, and likely won't be the last. In 2019 alone, there were more than 1,400 data breaches, exposing more than 164 million records and documents.
The Nintendo data breach came from an easily-overlookable vulnerability: legacy systems. Your company may continually introduce new security measures, but these may not cover older parts of the company's process. Any security upgrade that doesn't account for legacy software and hardware is incomplete.
Periodic penetration testing may be necessary for finding these gaps in security. Nintendo likely didn't consider how the NNID system could be a vulnerability until it was too late. You may not know where your weak points are, but penetration testing can help you find them.
The Nintendo breach also emphasizes the importance of multi-factor authentication. Without it, hackers may only need a password to get access to your systems.
To protect your data and that of your clients, you need ever-adapting cyber security. If Nintendo had introduced more well-rounded measures as it advanced the rest of its company, this might not have happened. Hackers are always finding new ways to infiltrate systems, so you need to find new ways of protecting them.
Photo courtesy: StockPhotoSecrets