Nintendo confirmed that 160,000 Nintendo Accounts were breached, and a number of the impacted accounts were reported to have purchased digital items without owner consent. Hackers may have also gained access to users’ personal information, including date of birth, gender, country/region, email addresses and more.
Organizations need to pay attention to not only points of access in production environments but also all their deprecated and development endpoints. These often-forgotten and unsecured APIs can be used by hackers to gain side-door access into systems to achieve the same access to confidential information and monetary gain as if they went through the front door. Unfortunately, most organizations lack full visibility of their APIs, making it a challenge to adequately secure them.
Out of the 55 billion credential stuffing campaigns Akamai observed, the gaming industry comprised about 22% of the attacks. Nintendo’s latest incident is further evidence that attackers view this industry as a viable and attractive target. To prevent unauthorized access to accounts, users should diversify passwords and usernames across different accounts, regularly change those passwords, and enable multi-factor authentication (MFA) when possible for an extra layer of security.
How the hackers were able to gather customer credentials is still unknown. Regardless, to protect customer data, enterprises must adopt a least privilege access approach — provide checks to restrict identities to do no more than they are supposed to, across their systems. This can be implemented with a robust approach to identity and access management (IAM). Organizations should also implement MFA for all users, securely manage service accounts and their corresponding keys, enforce least privileged access, and enforce best practices for the use of audit logs and cloud logging roles.