A wave of account takeovers hitting Nintendo users over the last few weeks continued largely unabated on Tuesday despite Ars’ coverage of the mass hijackings a day earlier. Nintendo isn’t saying why or how so many accounts continue to get compromised, often within hours of hacked users resetting passwords. A likely reason for the sustained hijacking spree: Nintendo’s failure to warn of the risks posed by legacy accounts.
Long before Nintendo introduced the current account system for Switch and other recent devices, the company used a Nintendo Network ID, or NNID, for the earlier Wii U and 3DS platforms. NNIDs had to be created using the notoriously bad resistive-screen keyboards available on these devices, a constraint that made it hard for users to choose strong passwords. The move to the current system was a vast improvement because accounts can be set up using a Web browser.
Error of omission
But there’s a key shortcoming: NNIDs never died, and despite many users forgetting they had ever set up one of these accounts, many continue to be linked to users’ new accounts. That means unauthorized access to an NNID is all it takes to hijack a new account and make off with any PayPal or Switch eShop funds tied to it. As recently as Tuesday, Nintendo emails warning users of potentially hijacked accounts didn’t mention this key detail.
The email instead said there had been a recent sign-in from a new device and that if users didn’t recognize it they should change their passwords using this link. The Web form changes only passwords for the new login system, not for the older NNID. The email and the page it links to make no mention that NNIDs can also be abused to give miscreants unauthorized access to Switch accounts.
Even when a user took it upon herself to close the NNID password hole, the task is unnecessarily painful and problematic. The process of actually changing the password requires accessing the account with a Wii U or 3DS (instructions here), and there’s always the possibility that users no longer own those older systems. It’s still possible to use a browser to reset an NNID password, but in that case, the new password is limited to only eight characters of Nintendo’s choosing. Even worse, Nintendo emails the user the new password in plaintext.
2FA to the rescue
To Nintendo’s credit, the company on Tuesday issued a statement to reporters advising users of hijacked accounts to enable two-factor authentication on their accounts, and all available evidence suggests this protection will prevent unauthorized access both directly and through NNIDs. The company, it should also be noted, provides instructions here for unlinking an NNID to a current account, but those instructions are not easy to find. Moreover, Nintendo continues to offer incentives to encourage keeping the accounts linked.
Nintendo’s statement to reporters recommending the use of 2FA is a step in the right direction, but from the start, emails notifying users of new sign-ins should have provided this advice. The emails also should have advised password resets not only for current accounts but also for NNIDs, as well as directions for unlinking the two. And in keeping with a concept known as defense in depth—which uses multiple layers of protection to secure systems—Nintendo should give users an easier and more secure way to change NNID passwords. Better yet, the game maker should make it easy to close NNIDs altogether. Last, Nintendo owes it to its customers to say if it knows of any breaches involving its network.
So there you have it. If you’re a Nintendo account holder, the first thing to do is set up 2FA and change the current account password. Out of an abundance of caution, users should also unlink the account from the NNID and change, or at least reset, the NNID password.
In the absence of useful advice from Nintendo, users will have to fend for themselves.