Hackers launch month-long attack on Nintendo, break into 24,000 game players’ accounts

Graham Cluley

MarioNintendo, the veteran games console maker, has admitted that hackers bombarded its Club Nintendo website with 15.46 million bogus login attempts between 9 June and 2 July 2013.

The attack, which resulted in 23,926 accounts being successfully accessed by the cybercriminals and personal information exposed, does not appear to have relied upon a security flaw in Nintendo’s site. Instead the security breach appears to have been achieved by a rudimentary brute-force attack – perhaps because users were using poorly-chosen passwords or were using passwords that have been used on previously hacked websites.

Fortunately, as in the recent attack against Ubisoft, the financial information of customers was not compromised. However, personal information such as names, addresses and phone numbers of Nintendo fans have been exposed.

What’s the point of breaking into accounts on a site like Club Nintendo?

Well, not only could you potentially harvest yourself a database of names and email contact details for games players (which could later be used for socially-engineered phishing and malware campaigns), but these sites also incorporate loyalty card points systems which can be used in exchange for games-related merchandise.

The Register reports that Nintendo has reset the passwords of affected users, but victims would be wise to check that they are also not using the same password elsewhere.

What is perhaps most alarming is the length of time that the Club Nintendo website was being bombarded by attempts to break into customer accounts. It’s hard to imagine that a sustained attack like that could have gone unnoticed for nearly one month and suggests poor stewardship by Nintendo’s security team.

It’s the latest in a long line of bad news for Nintendo, which is suffering from poor sales of its Wii U console and appears to be losing momentum in the video games market against the likes of the Microsoft XBOX and the far less pricey casual games available for the Apple iTouch, iPhone and iPad.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.
Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES