Skip to main content

Nintendo Switch hack hit almost twice as many users as first reported

(Image credit: Shutterstock / Paul Stringer)

Internal Nintendo investigations have revealed that almost twice as many Nintendo accounts were hacked than was originally reported, in a large-scale attack that took place in April.

When the incident first came to light, Nintendo explained that 160,000 accounts had been compromised, but has now almost doubled its estimate to 300,000.

The company has warned that hackers likely gained access to affected users’ email addresses, dates of birth and region data - and that unsanctioned purchases could also have been made via the Nintendo eShop.

The incident was first brought to the company’s attention after a significant number of account holders reported receiving messages alerting them to unauthorized account access.

Nintendo accounts hacked

According to Nintendo, hackers were able to compromise Nintendo Network ID (NNID) accounts using ‘password information obtained illegally by some other means than our service’ - an attack type referred to as credential stuffing

To gain access to Nintendo accounts (used to make purchases on the Switch), hackers abused a mechanism that allowed users to log in via NNID, an account type used for the Wii U and 3DS.

Nintendo subsequently disabled the ability to log into Nintendo accounts using NNID credentials, mitigating against further credential stuffing attacks.

“We sincerely apologize for any inconvenience caused and concern to our customers and related parties,” read a statement published by Nintendo in April.

“In the future, we will make further efforts to strengthen security and ensure safety so that similar events do not occur.”

The additional 140,000 accounts holders will be informed and their passwords automatically reset. Nintendo is also in the process of refunding users for any fraudulent purchases made as a result of the hack.

To minimize the chances of future account compromise, users are advised to set up multi-factor authentication and reset existing passwords.