160,000 Hacked Nintendo Accounts and NNID Sign-Ins Disabled. Overreaction?

By LUDWIG VON KOOPA - Plus, my thoughts on two-factor authentication.

At the start of last week, there were some murmurs of Nintendo Accounts being hacked. It's a topic I care about (and why I'm steadfastly against attaching credit card numbers to your Nintendo eShop account, and why I've shamed the Nintendo Switch Online trial process for forcing you to do so), but, eh, whatever, these kinds of hacks happen all the time (but you can take steps to protect yourself). It wasn't worth writing an article about.

Well, that is, until Nintendo announced their response: 160,000 Nintendo Network IDs (NNIDs) were hacked (which is a small fraction of the total, but...), and as part of their investigation, they are “discontinuing the ability to use a Nintendo Network ID to sign in to a Nintendo Account.” All other methods continue to exist, but those methods generally involve signing in via third-party platforms like Facebook, Twitter, and Google. The NNID was the “log-in with” method that didn't involve having to also register with an untrustworthy California big tech company.

Quick, personal anecdote that illustrates my point: I once used the “log-in with Facebook” option for my Capcom Unity account. (Capcom Unity happens to be going away, as I wrote about last week, but this was back when it still kinda existed.) Then I got banned from Facebook (not because of behaviour issues but because they didn't think my real name is Ludwig Von Koopa). Guess what happened after that? I could no longer log-in to Capcom Unity! I had to go through a whole, very avoidable process with CAPCOM's tech support to get that resolved.

You don't want one set of services to be dependent on another. But that's what Nintendo is mandating because... SOME NNIDs got hacked. Not all of them. Mine wasn't. At least, I don't think it was!

Nintendo is also still mandating that to take advantage of the Nintendo Switch Online trial, you have to attach a credit card/PayPal to your Nintendo Account. You know, because a cybersecurity scare where it's serious enough that Nintendo shuts down the ideal method for you to log into your account shouldn't be a reason for Nintendo to inconvenience you by not automatically taking your money after a “free” trial!

By the way, in case it's vague as for why this whole thing is important, you need to log-in with your Nintendo Account any time you want to visit the Nintendo eShop and buy/download something. That's of greater importance now when digital downloads—done through the eShop—get a bigger priority since there are a lot less physical purchases during a pandemic. Even without that, you'll want to visit the eShop to do things like buy the Ace Attorney games on sale. (That ends in 27 hours as of publishing, so... hurry up.) That said, this NNID lock-out doesn't affect the Wii U or 3DS. Just the Switch. (So buy the Ace Attorney games on the 3DS.)

I suppose I should tell you that your fate isn't entirely tied to the whims of Californian companies. While NNIDs no longer work, there is still a sign-in ID method that can pretty much be the same exact thing as an NNID. You can go and configure that at accounts.nintendo.com/security. ...I'm not sure if a hypothetical fellow who stole one's NNID credentials wouldn't think to just use the same credentials for a sign-in ID/password, so maybe you should change one or both of those. While I don't think it's nice to shut down NNIDs for everyone, there's a pretty direct alternative in place, so... it's not all that bad. I'll just miss the Miiverse vestige.

(It's not that I wanted to wait until after my Californian tech companies speech was already written to tell you that... I didn't know until right before I published this article. Still, I stand by my rant.)

Talking about this sort of thing in public is kind of a personal security hazard.
(It doesn't actually show your password under the black box, but I figured I might as well.)

While there, you can also choose to use two-factor authentication. Nintendo has implemented that (using Google Authenticator, a smartphone application by an aforementioned big Californian tech company—according to Play Store reviews, once you change your phone, the authenticator doesn't come with you, locking you out of your accounts forever) and is “strongly” encouraged. A fellow on Twitter asked why it isn't mandatory, and my reply got a bit of popularity:

Some people don't have smartphones!

— KoopaTV (@TheREALKoopaTV) April 24, 2020

Personally, I don't want to lug around a smartphone anytime I want to do things with my Nintendo Switch. It'll just make me not want to use it. I hate smartphones with every scale of my being, and I already detest that all of these hardware manufacturers are trying to tie their services to these third-party devices. That nasty feeling is of greater importance to me than people only being able to access my account if they steal my smartphone. (Or are its rightful owner.)

...But if you feel that your security is at risk, then, yeah, go do whatever security thing you want. There's options. You wouldn't want some hacker going in and spending your eShop balance on useless stuff.

...Though I think it'd be cool if they went in and bought everyone a copy of Phoenix Wright: Ace Attorney Trilogy. 


KoopaTV is based on Google's Blogger content management system, so while KoopaTV advises you not to rely on Californian big tech companies, KoopaTV relies ENTIRELY on a Californian big tech company. Don't follow KoopaTV's example!


These kinds of breaches are becoming common. CAPCOM became a ransomware victim in November 2020.
As of October 25, 2022, you'll no longer be able to use Facebook or Twitter to log into your Nintendo Account.