24,000 Nintendo Site Accounts Compromised

← Back to Stories (view on slashdot.org)

24,000 Nintendo Site Accounts Compromised

Posted by samzenpus on Monday July 8, 2013 @04:15AM from the protect-ya-neck dept.

hypnosec writes "Nintendo has revealed that it has detected illicit logins in nearly 24,000 accounts on one of the main fan sites in Japan 'Club Nintendo' and account details such as real names, addresses, emails and phone numbers may have been accessed. According to Nintendo the mass login attempts have been made using a list of login credentials containing usernames and password obtained from some service other than Nintendo. The company revealed that it detected over 15 million login attempts out of which 23,926 were successful."

36 comments

Min score:

Reason:

Sort:

24,000 Accounts? by CanHasDIY · 2013-07-08 04:18 · Score: 3, Funny

So... all of them, then?
Zing.

--
An enigma, wrapped in a riddle, shrouded in bacon and cheese
1. Re:24,000 Accounts? by Trepidity · 2013-07-08 04:51 · Score: 1
  
  The article notes that they have 4 million users just in Japan, oddly enough. That's about 3% of Japan's population.
  
  --
  10 PRINT CHR$(205.5+RND(1)); : GOTO 10
2. Re:24,000 Accounts? by Anonymous Coward · 2013-07-08 04:55 · Score: 0
  
  l: mario
  p: luigi
Just guessing? by jandrese · 2013-07-08 04:19 · Score: 4, Insightful

24,000 successful logins from 15 million attempts sounds like a brute force attack. I wouldn't be surprised at all if all of those compromised accounts had horrible easy to guess passwords.

--

I read the internet for the articles.
1. Re:Just guessing? by ciderbrew · 2013-07-08 04:21 · Score: 1, Insightful
  
  I have lots of easy to guess passwords if they allow 15 million attempts on an account.
2. Re:Just guessing? by Mashdar · 2013-07-08 04:30 · Score: 4, Insightful
  
  GP meant that they tried several easy passwords on many more than 24,000 accounts. 24,000 / 15,000,000 = .16% success rate... This might be the fraction of accounts using 12345 as a password.
3. Re:Just guessing? by tlhIngan · 2013-07-08 04:31 · Score: 2
  
  I have lots of easy to guess passwords if they allow 15 million attempts on an account.
  More like they tried 15M attempts at logging in with various username-password combinations, of which 24,000 of them were successful.
  Though, given how little information Nintendo asks, one wonders what the whole point is - I don't think Nintendo even asks for an address until they absolutely need it, so if it was an account created but not really used, there's no information at all. Maybe a few coins, but you can't take them from one account and consolidate them to another...
  Of course, Nintendo's entire online thing is a bit iffy to begin with - there's at least three different logins for three different systems, none of which are combined - you have a support account, a Nintendo Network account (Wii U) and a Club Nintendo account.
  I suppose a lot of the separation is because well, all the child privacy and protection laws really make it hard to even get something like an email address...
4. Re:Just guessing? by Anonymous Coward · 2013-07-08 04:32 · Score: 0
  
  Your passwords are 4 characters or less?
5. Re:Just guessing? by jandrese · 2013-07-08 04:39 · Score: 1
  
  Right, assuming Nintendo didn't enforce any useful password requirements, there are probably tens of thousands of accounts with 12345, god, and password as their passwords.
  
  --
  
  I read the internet for the articles.
6. Re:Just guessing? by jkflying · 2013-07-08 04:43 · Score: 2
  
  Standard english grammar has 1.1 bits of information per character (at least in larger text bodies).
  
  --
  Help I am stuck in a signature factory!
7. Re:Just guessing? by ciderbrew · 2013-07-08 04:48 · Score: 1, Interesting
  
  How much brute force traffic do you expect before you do something? Especially after Sony got a kick in the nuts with this. Also, I'd expect children to have awful dictionary passwords with only the cleverer dyslexic kids being safe. Their own name and some numbers being the limit. Shame, they could have set some pictures and set up a really good Nintendo'ish password system. More secure than adult stuff now I come to think how it would work.
8. Re:Just guessing? by ciderbrew · 2013-07-08 04:49 · Score: 1
  
  Hey. I see what you're doing there.
9. Re:Just guessing? by Anonymous Coward · 2013-07-08 04:53 · Score: 0
  
  My password is exactly 4 characters, and "less".
10. Re:Just guessing? by Anonymous Coward · 2013-07-08 05:08 · Score: 0
  
  Sooner or later, even yo mamma gets hacked.
11. Re:Just guessing? by Guppy06 · 2013-07-08 05:11 · Score: 1
  
  24,000 out of 15 million? If it really is brute force, why so few?
12. Re:Just guessing? by Anonymous Coward · 2013-07-08 05:13 · Score: 0
  
  it'sa meeeee... username:_____/password:mario would be my guess
13. Re:Just guessing? by Charliemopps · 2013-07-08 05:19 · Score: 1
  
  I have accounts where the password is something useless like that. Those are on sites where the host forced me to create an account to get a coupon or something similarly idiotic to drive up their subscription rates. I suspect these hackers have a nice long list off accounts for the surname "yourself"
14. Re:Just guessing? by Anonymous Coward · 2013-07-08 05:24 · Score: 0
  
  Shame, they could have set some pictures and set up a really good Nintendo'ish password system.
  Porygon causing attackers to have seizures?
  Well, it's not exactly ICE, but it'll do.
15. Re:Just guessing? by TheSkepticalOptimist · 2013-07-08 06:02 · Score: 1
  
  because that is exactly the definition of a brute force, using non-impressive means to gain access to accounts by people stupid enough to use easy to guess passwords.
  
  --
  I haven't thought of anything clever to put here, but then again most of you haven't either.
16. Re:Just guessing? by medv4380 · 2013-07-08 07:21 · Score: 1
  
  Or if all of them happen to be the same Username Password combo from UPlay.
17. Re:Just guessing? by parkinglot777 · 2013-07-08 07:24 · Score: 1
  
  How much brute force traffic do you expect before you do something?
  Obviously, you did not read TFA. Yes, it creates traffic, but it might not create enough noticeable traffic at first until it became obvious later on.
  
  On further investigation Nintendo found that the attempts started on June 9 and the scattered instances of illicit logins became a problem on July 2.
18. Re:Just guessing? by hairyfeet · 2013-07-08 07:42 · Score: 1
  
  Well at least in my neck of the woods the most popular number combo is folks SSN scarily enough. i don't know how many times I have had a customer write down their username and password so I can get in and do the work only to find its their SSN.
  This is why I have been saying for years we really need smart cards or biometrics or something, as the amount of people out there using crazy simple passwords is just nuts. Their SSN, their BDay, the name of their kid or pet, people honestly don't think when it comes to passwords so i'm honestly amazed a brute force attack scored so little, i figured it would be much higher.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
19. Re:Just guessing? by Guppy06 · 2013-07-08 10:16 · Score: 1
  
  using non-impressive means to gain access to accounts by people stupid enough to use easy to guess passwords.
  So you believe that only 24,000 out of 15,000,000 used "easy to guess passwords?"
20. Re:Just guessing? by Trax3001BBS · 2013-07-08 10:46 · Score: 1
  
  I have accounts where the password is something useless like that. Those are on sites where the host forced me to create an account to get a coupon or something similarly idiotic to drive up their subscription rates
  When you come across these sites you should post your log-in info to http://www.bugmenot.com/
  It's helped me get into sites that I didn't wish to log into and I pay back by posting log-in's myself.
  It's become well known and many sites have requested theirs not be listed; but in the long run it works very well.
21. Re:Just guessing? by Anonymous Coward · 2013-07-08 12:00 · Score: 0
  
  I suspect these hackers have a nice long list off accounts for the surname "yourself"
  Let me guess, first name "Go", middle initial "F"?
22. Re:Just guessing? by Anonymous Coward · 2013-07-08 12:52 · Score: 0
  
  Now you're just being an ass.
  Why do I say this? Because there weren't 15,000,000 accounts to begin with. Its 15,000,000 attempts. Now get back to Reading Comprehension class, you fucking need it.
Oh no! by Anonymous Coward · 2013-07-08 05:04 · Score: 0

I better check my account - maybe the hackers found something useful to spend my glut of "coins" on. I sure as hell haven't had much luck with that.
Username or Email? by WillgasM · 2013-07-08 05:19 · Score: 1

Does Club Nintendo use unique usernames, or email addresses for login? Someone probably just got a hold of one of those old Facebook or Twitter lists and decided to try those creds here. Most people use the same password for everything. I'm always reminded of this when setting up an account on random gaming forums. Who's to say they aren't just collecting creds and then later trying them on Facebook, Twitter, etc or getting into my game account and sharding my purples.
How is brute force even a viable means of hack? by TheSkepticalOptimist · 2013-07-08 06:11 · Score: 1

It should be very obvious how to guess the difference between a human logging in an a bot.
If a user is generating 100k failed password attempts a minute, day, week, month, or even a year, chances are they are a bot.
Also if someone is logging in from various places around the world, chances are its a bot. If the user sets up an account from the US or Canada, but is logging in from China one minute then Russia another, its probably a bot.
Also even if the bot has 1 failed attempt a day using some discretionary attack, at some point a server should realize that there is no human stupid enough to fail to enter a password properly on a regular basis. I mean once you enter your password in most browser or on the Wii console, you don't even have to type it in again, so 3 failed attempts in any given period of time should lock you out of your account, period.
What I feel will be the "incorrect" response:
1) Make your password require 10+ characters and the use of special requirements such as caps, digits and symbols
2) Implement some capctha system to prove you are human every time you want to do anything on the system, even after you have logged in.
3) Probably implement some crazy recovery system including having to mail you your password through snail mail to recover the account.
But the reality is I can't understand how any password system could even allow brute force password hacks. Except in the case where you make a one time attempt and use a generic commonly used password list, chances are any system is going to have to make many failed attempts before it gets it right, and there is no way a server should allow more than a few failed attempts before locking down.

--
I haven't thought of anything clever to put here, but then again most of you haven't either.
1. Re:How is brute force even a viable means of hack? by tlhIngan · 2013-07-08 07:18 · Score: 1
  
  Also even if the bot has 1 failed attempt a day using some discretionary attack, at some point a server should realize that there is no human stupid enough to fail to enter a password properly on a regular basis. I mean once you enter your password in most browser or on the Wii console, you don't even have to type it in again, so 3 failed attempts in any given period of time should lock you out of your account, period.
  Except Club Nintendo is NOT tied to anything you already have. It's a separate account and everything.
  In fact, it's sort of useless because all it's good for is entering those codes you get with the system and games, which gives you access to prizes. There's very little personal information (you only need an email address to sign up), and there's absolutely no financial information at all - the rewards of Club Nintendo are paid for completely by Nintendo - no shipping, etc.
  Heck, even shipping addresses may not be all that special, if they're retrievable. And Nintendo only asks for those when they need it.
2. Re:How is brute force even a viable means of hack? by fast+turtle · 2013-07-08 13:26 · Score: 1
  
  Guildwars - I've screwed up and typo'd the damn pw (n)x times in a row w/o hitting their limit. Of course, it's also a registered IP with them so maybe the system would lock things if to many failures from various unrecognized locations.
  
  --
  Mod me up/Mod me down: I wont frown as I've no crown
Linked to Pokémon fansite hack? by ais523 · 2013-07-08 08:42 · Score: 1

A bunch of Pokémon fansites were hacked recently (here's one reasonably detailed report from one of the sites). Although as far as I know no plaintext passwords were stored on any of the servers, there were a bunch of password hash databases taken; and because Pokémon is a Nintendo property, Nintendo's website would be an obvious place to try any username/password pairs that were weak enough to be reversed from the databases (and some plaintext passwords would be available as a result of compromised login forms).
Many of the hacked sites (that I know about, at least) were reasonably small, with user counts measured in thousands; as such, 24 thousand total seems to be a reasonable estimate for the number of accounts that might have been affected.

--
(1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
Fine, I'll say it by slashmydots · 2013-07-08 12:55 · Score: 1

So...just morons with awful, generic, guessable passwords?
Yahoo hack led to this by bunkymag · 2013-07-08 14:24 · Score: 1

As per the parent post they were referencing a list of usernames and passwords sourced 'elsewhere'. Yahoo jp edition lost pretty much everyone's details about six weeks back - this is more than likely the source.
I have a club nintendo jp account (no notice of hacking yet, though I did receive notice from Yahoo above). From memory the user ID for the club nintendo service needed to be an eight digit number rather than a more usual word based UID. That could easily explain the perceived low success rate of the hack attempts.
Mamamiya! by Anonymous Coward · 2013-07-09 00:35 · Score: 0

All I can think of when Shigeru Miyamoto heard about this, he must of said "Mamamiya! That's-a crazy pizcha-pi-ya!"
indoemu by Anonymous Coward · 2013-07-21 19:36 · Score: 0

excuse me ..
I am from southern Sumatra, Indonesia ..
maybe for you I'm still too far from perfect for the management of the website ..
but I will try and always strive to be better ..
I ask you please to visit my website ..
http://www.indoemu.com/
all about ISO, PSX Emulator game ..
I apologize in advance and thank you very much for the opportunity to comment here ..
once again thank you very much