Suspicious login attempts begin to plague Switch owners, Nintendo to investigate

EVMGrbqUYAAz7Ax.jpg

There's something concerning going on, as Nintendo Switch owners are reporting that they're seeing suspicious attempted log-ins for their account. Many users are sharing that they've either received emails from Nintendo with notices of log-ins from new devices, or even some that say their saved payment information was used to purchase V-bucks in Fortnite without their authorization. While Nintendo hasn't confirmed or denied as to whether or not there was a data breach or if there's a problem unfolding, it would be wise to make sure your account is secured. You can do so by resetting your password, checking out if there's been an unauthorized log-in attempt by looking at your history, removing your linked PayPal or Credit Card accounts, or turning 2-Step Verification on for your Switch account, which Nintendo themselves recommended just last week.

Nintendo is now aware of the problem and is "investigating the situation". They again recommend that users turn on 2FA.

EDIT: One of our users is conducting a poll to see who has been affected. You can fill it out here.
 

Cyan

GBATemp's lurking knight
Former Staff
Joined
Oct 27, 2002
Messages
23,749
Trophies
4
Age
45
Location
Engine room, learning
XP
15,646
Country
France
I tried to access my accoung, but it didn't work.

It asked my mail/password
I submit, the page return to the main site (nintendo.fr), but still not logged in.
all retry don't do anything, I can't even return to the login/pass form page.

I'll delete all cookies and try again.
nah, still doesn't work.
maybe browser version issue? or they now have a javascript error on their site?


I tried twice, and I got 2 logging notification by mail.
I didn't had any before so nobody else tried to connect.
still hoping to properly log to enable 2fa.

Edit:
I have access to eshop config and other logged page, just the site bugs and still has "login" instead of my name/mii icon on their top menu.
so, I'm logged, and went to subdomains and could enable 2FA.

my.nintendo.com and accounts.nintendo.com work fine !
nintendo.fr doesn't
 
Last edited by Cyan,

Mikey242

Member
Newcomer
Joined
Nov 17, 2005
Messages
24
Trophies
0
XP
751
Country
I am glad that you got resolved issues and get your refund back but I hate having to tell you that 2-step will not resolve it. It might be today but in the near future then it will be of no used and worthless. I just mentioned above #107 about my experienced.

Oh yeah you're absolutely right, I'm under no illusions that my account is now 100% safe, that will never be the case. I mean 10 years ago just having a decent password was enough to be reasonably secure and now it just isn't (the password for my first account, with Yahoo was three letters long!). At the end of the day it's just an arms race, with hackers improving as security improves (or the other way round is more likely), the cycle will never end.

Having said this, it is still wise to use 2-step in place of just a password because it does add another layer of security, and quite frankly it should be enforced at this stage since it should be considered the bare minimum.
 
  • Like
Reactions: spotanjo3

GerbilSoft

Well-Known Member
Member
Joined
Mar 8, 2012
Messages
2,395
Trophies
2
Age
34
XP
4,249
Country
United States
I am glad that you got resolved issues and get your refund back but I hate having to tell you that 2-step will not resolve it. It might be today but in the near future then it will be of no used and worthless. I just mentioned above #107 about my experienced.
You are spreading misinformation. ("fake news", "lies", etc.) 2FA protects against password breaches from other sites, especially when users reuse the same password in multiple places. The 2FA token is unique on each site, so even if site A is compromised and a user has the same password on site B, the hacker wouldn't be able to login on site B because the 2FA token is different.

In this scenario, 2FA is the only known method that actually stops the Fortnite kiddies from hacking accounts. (It might be related to linked NNID accounts, which have their own passwords and can't be changed from the web interface, but there's no concrete evidence that this is the case.)

On Android, I recommend Aegis Authenticator. It has a JSON export function, so you can back up your 2FA tokens easily.
 
Last edited by GerbilSoft, , Reason: +duh
  • Like
Reactions: Mikey242

xabier

Well-Known Member
Member
Joined
Dec 10, 2006
Messages
577
Trophies
0
XP
1,202
Country
United States
You are spreading misinformation. ("fake news", "lies", etc.) 2FA protects against password breaches from other sites, especially when users reuse the same password in multiple places. The 2FA token is unique on each site, so even if site A is compromised and a user has the same password on site B, the hacker wouldn't be able to login on site B because the 2FA token is different.

In this scenario, 2FA is the only known method that actually stops the Fortnite kiddies from hacking accounts. (It might be related to linked NNID accounts, which have their own passwords and can't be changed from the web interface, but there's no concrete evidence that this is the case.)

On Android, I recommend Aegis Authenticator. It has a JSON export function, so you can back up your 2FA tokens easily.

I use AEGIS too: What I find really conveniet is that you can have the same JSON in more than one device, so if you lose your device or gets broken you don't need to use the 1 time use codes.
 

Benja81

GBATemp Sporaddict
Member
Joined
Dec 24, 2015
Messages
987
Trophies
1
Age
42
XP
2,096
Country
United States
I haven't gotten any emails, and the only logged-in device listed is mine, so...I'm safe?
Not necessarily safe, but at least lucky so far. I would still at very least change your pwd and consider turning on 2 factor auth for Nintendo accounts, and if you want to go one step further, remove any stored payment info.

Its entirely possible they have your login info, just haven't attempted to use it yet.
 

Tony_93

Well-Known Member
Member
Joined
Jun 13, 2015
Messages
2,457
Trophies
1
Location
California
XP
2,436
Country
United States
I have gotten emails about resetting my password. It seems someone got a hold of my email and have been trying to login/reset my password on my Nintendo account. Luckily my email is protected so nothing at fault. Yet...
 

Gamemaster1379

Well-Known Member
Member
Joined
May 5, 2008
Messages
830
Trophies
1
Age
29
Location
United States
Website
1379tech.110mb.com
XP
2,206
Country
United States
I think I'll just remain in airplane mode, as a precaution.
The issue wouldn't be anything to do with hacking your immediate Switch. It's moreso about your actual account and its purchases. A hacker could still make purchases with your account or do something to get it banned while your physical unit is offline.
 

GerbilSoft

Well-Known Member
Member
Joined
Mar 8, 2012
Messages
2,395
Trophies
2
Age
34
XP
4,249
Country
United States
it uses google’s authenticator app...which has been hacked several times this year and last year
It's standard TOTP. Nintendo only lists Google Authenticator because they don't feel like listing the numerous other compatible programs.

Other compatible programs include Authy, Aegis, and FreeOTP.
 

OrionTempest

Well-Known Member
Newcomer
Joined
Jan 19, 2009
Messages
46
Trophies
1
XP
1,526
Country
Canada
That explains the weird logins on my 3DS account (for reasons, my 3DS and Switch are on separate accounts). Had 2 emails from yesterday morning (Around 1130AM on April 21) saying that my 3DS account logged in from the US. Not like I have any payment info saved on either anyway.
 

guisadop

Well-Known Member
Member
Joined
Jun 22, 2012
Messages
656
Trophies
1
XP
2,180
Country
Brazil
I'm not a switch owner, but my NN account was accessed twice in two days - one in the US, another in Ukraine. I immediately changed my password to a totally different password after the first time, but still got the second access, so I came up with an even safer password and it didn't happen anymore. Luckily I have never used the eShop so no CC info is saved.
 

GerbilSoft

Well-Known Member
Member
Joined
Mar 8, 2012
Messages
2,395
Trophies
2
Age
34
XP
4,249
Country
United States
I'm not a switch owner, but my NN account was accessed twice in two days - one in the US, another in Ukraine. I immediately changed my password to a totally different password after the first time, but still got the second access, so I came up with an even safer password and it didn't happen anymore. Luckily I have never used the eShop so no CC info is saved.
Make sure you change your NNID password, too. Note that this is only doable on a linked 3DS or Wii U; there's no web interface for changing it, which is rather dumb.
 

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
36,798
Trophies
3
XP
28,284
Country
United Kingdom
If indeed there have been long unique random character passwords compromised here what are we betting on as the failure (especially considering this is Nintendo, who don't exactly have the best history with this sort of thing).

What are we betting on here?

1) Passwords intercepted at cache level or server intercept
2) Token reuse
-Usual boring SQL db dump somehow and-
3) Nintendo left them in plaintext
4) Nintendo used no salt and they got rainbow tabled
5) Nintendo used a weak salt (and not per user or short salt per user already being included in tables) and they got rainbow tabled

6) Some kind of Switch level hack where it sent back nice encrypted password to the to the totally utterly legit we promise guv server with the encryption key being provided by them? Been theorised for years but I don't know if I have seen one in the wild outside of skiddo botnets being taken over.

The 14-15 long random character stuff some claimed earlier would trouble most rainbow tables I have seen (they tend to be dictionary + urban dictionary + substitutions and all extended ASCII a like up to about 8 characters) but I reckon a decent botnet and/or stolen EC2 time could pump up the random database to something more usable.

Videos for those new to all this



All these "I was accessed from X..." posts... pretty sure you weren't - any hacker not using a vpn deserves the inevitable prison time they'll get.
While I would suggest a nice anonymous VPN to anybody engaged in such activities if you are in deepest, darkest Russia and on some nice hacked/public wifi you can probably skip it.
 

pcgeek52

Member
Newcomer
Joined
Jan 7, 2013
Messages
24
Trophies
0
Age
31
Location
Nashville, Tennessee
XP
278
Country
United States
If indeed there have been long unique random character passwords compromised here what are we betting on as the failure (especially considering this is Nintendo, who don't exactly have the best history with this sort of thing).

What are we betting on here?

1) Passwords intercepted at cache level or server intercept
2) Token reuse
-Usual boring SQL db dump somehow and-
3) Nintendo left them in plaintext
4) Nintendo used no salt and they got rainbow tabled
5) Nintendo used a weak salt (and not per user or short salt per user already being included in tables) and they got rainbow tabled

6) Some kind of Switch level hack where it sent back nice encrypted password to the to the totally utterly legit we promise guv server with the encryption key being provided by them? Been theorised for years but I don't know if I have seen one in the wild outside of skiddo botnets being taken over.

The 14-15 long random character stuff some claimed earlier would trouble most rainbow tables I have seen (they tend to be dictionary + urban dictionary + substitutions and all extended ASCII a like up to about 8 characters) but I reckon a decent botnet and/or stolen EC2 time could pump up the random database to something more usable.

Videos for those new to all this




While I would suggest a nice anonymous VPN to anybody engaged in such activities if you are in deepest, darkest Russia and on some nice hacked/public wifi you can probably skip it.

What I think may be happening as well is people using skeleton keys. If a password is difficult but is used on a site that becomes compromised it will not doubt end up in a shared password list. I doubt its a flaw in their website or information assurance practices. Out of all console manufacturers, Nintendo actually has some good practices. They even offer a $20,000 bug bounty through HackerOne. I imagine a database leak or vulnerability that would lead to something of the sorts would net someone a pretty nice bounty, although selling Nintendo accounts through the grey market may also be a nice financial reward for cyber miscreants. The config for popular cracking tools seems to be on multiple sites for around $300+ and Nintendo needs to investigate how these scripts are running and block them from getting in so many attempts.
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • ZeroT21 @ ZeroT21:
    it wasn't a question, it was fact
  • BigOnYa @ BigOnYa:
    He said he had 3 different doctors apt this week, so he prob there. Something about gerbal extraction, I don't know.
    +1
  • ZeroT21 @ ZeroT21:
    bored, guess i'll spread more democracy
  • LeoTCK @ LeoTCK:
    @K3Nv2 one more time you say such bs to @BakerMan and I'll smack you across the whole planet
  • K3Nv2 @ K3Nv2:
    Make sure you smack my booty daddy
    +1
  • LeoTCK @ LeoTCK:
    telling him that my partner is luke...does he look like someone with such big ne
    eds?
  • LeoTCK @ LeoTCK:
    do you really think I could stand living with someone like luke?
  • LeoTCK @ LeoTCK:
    I suppose luke has "special needs" but he's not my partner, did you just say that to piss me off again?
  • LeoTCK @ LeoTCK:
    besides I had bigger worries today
  • LeoTCK @ LeoTCK:
    but what do you know about that, you won't believe me anyways
  • K3Nv2 @ K3Nv2:
    @BigOnYa can answer that
  • BigOnYa @ BigOnYa:
    BigOnYa already left the chat
  • K3Nv2 @ K3Nv2:
    Biginya
  • BigOnYa @ BigOnYa:
    Auto correct got me, I'm on my tablet, i need to turn that shit off
  • K3Nv2 @ K3Nv2:
    With other tabs open you perv
  • BigOnYa @ BigOnYa:
    I'm actually in my shed, bout to cut 2-3 acres of grass, my back yard.
  • K3Nv2 @ K3Nv2:
    I use to have a guy for that thanks richard
  • BigOnYa @ BigOnYa:
    I use my tablet to stream to a bluetooth speaker when in shed. iHeartRadio, FlyNation
  • K3Nv2 @ K3Nv2:
    While the victims are being buried
  • K3Nv2 @ K3Nv2:
    Grave shovel
  • BigOnYa @ BigOnYa:
    Nuh those goto the edge of the property (maybe just on the other side of)
  • K3Nv2 @ K3Nv2:
    On the neighbors side
    +1
  • BigOnYa @ BigOnYa:
    Yup, by the weird smelly green bushy looking plants.
    K3Nv2 @ K3Nv2: https://www.the-sun.com/news/10907833/self-checkout-complaints-new-target-dollar-general-policies...