The Nintendo Cyber Security Information Breach

Developers

Testers

Example written report


The security incident affecting 160 000 Nintendo accounts: why password reuse is bad, and what is credential stuffing?

On April 24, 2020, the electronics and gaming company Nintendo announced a cyber security incident that was going on since the beginning of the month. They admitted that somebody spoofed Nintendo Network ID logins (NNID, used in older products like Nintendo 3DS or the Wii U console) using information "illegally obtained from other than our service by some means". The company get-go referred to the size of the alienation as "some Nintendo Accounts were illegally logged in via NNID".

NNID is a legacy authentication system that does not provide 2-factor hallmark, and this is i of the well-nigh important circumstances that immune this alienation to happen at all. The typical flow of ii-factor authentication is proving your identity past, on ane manus, something you know (your password), and on the other hand, something yous have (that is, your mobile phone). Fifty-fifty if the password leaks due to a cyber security incident like this 1, the attacker cannot access or mimic your mobile phone, and consequently cannot log in. Nintendo's uses a mobile app, namely, Google Authenticator; yet, that was non an option in case of NNID-based authentication. Moreover, to get in piece of cake to enter the passwords fifty-fifty on handheld consoles, the minimal password size of NNID was 6 characters. This resulted in very weak passwords that one can recover even by a brute force attack. The industry standard minimal size is viii characters.

Later in the announcement they concretized the size of the breach, stating that the cyber security incident affected 160 000 accounts. From that, ane% of these accounts were used for fraudulent trade. Concerning the type of the accessed data, nickname, date of birth, country, region, and due east-postal service accost were revealed. Nintendo emphasized that credit menu information did not leak, but as we will see afterward, this was just partially true.

Credential stuffing

According to Hot for Security, the attack might have been a credential stuffing assault: the hackers simply tried to utilize usernames and passwords from other breaches. People tend to utilise the same credentials on multiple sites, and this can easily pb to cross-site compromise.

In a credential stuffing assault, criminals endeavor to log in into a arrangement manually or past using tools with usernames and passwords leaked elsewhere, in other breaches. The Mitre ATT&CK entry on this issue states that "Occasionally, big numbers of username and password pairs are dumped online when a website or service is compromised, and the user account credentials accessed". When there is a match, the data thief tin exploit the compromised accounts or sell them on the blackness marketplace. This is valuable data considering of credential overlap, that is, people employ the same countersign on unlike sites. This is unfortunately a rather mutual exercise: according to research done by LogMeIn, 59 percent of users acknowledge doing this.

The Nintendo attack was not an isolated one, of form – in that location are quite a few famous cases besides it. In August 2018, British health and dazzler retailer Superdrug was blackmailed with a claim that twenty thousand user accounts were compromised in a credential stuffing assail based on hacks and spillages. In Oct 2016, attackers got concord of private data of Uber's customers by using authentication information of Uber employees from previous data breaches. Over again, this was possible as employees used the same passwords on multiple sites. Although two-cistron authentication was available, it was not activated for these accounts. This led to the compromise of 32 million users' records and 3.vii one thousand thousand drivers' data. The attackers blackmailed Uber, and they paid, just did not publish the cyber security incident until a year later. All this resulted in a fine of 385 000 GBP past the Great britain Information Commissioner's Part.

cyber security

Tales from the night side

Credential stuffing attacks can be generic or custom. In a generic attack, the perpetrator uses a boxed software like Sentry MBA or HashCat with a properly ready configuration file. For a custom assault, attackers develop a proprietary tool. In the latter case, this custom tool has a price on the blackness market equally some expertise is needed for one to write such a tool.

Interestingly, an online fraud prevention and cyber security visitor Spycloud got access to the source code of the custom business relationship checker tool that was specifically written to steal Nintendo accounts. A notable characteristic of this application was a strong defense layer against unauthorized users (just to brand it clear: user here means the bad guy who bought this tool from another bad guy who developed the tool). It applied certain copy protection techniques and did non allow using it without payment or running it on more than computers. First and foremost, it had a kill switch that immune the developer to delete the programme from the user'due south reckoner. It too protected itself against debugging and by checking for the presence of WireShark, Fiddler or some other mutual reverse engineering and sniffing tools. If such a tool was detected, the program's execution got aborted immediately past triggering the kill switch. Still, the listing of banned tools was a blacklist, so this was just a chip of annoyance if someone really wanted to understand how this tool worked.

The account checker likewise used proxies to hide the IP address of the assailant. This fabricated information technology harder for the attacked site to tell information technology apart from legitimate traffic. A malicious user had to configure these proxies too as provide the listing of user-password pairs obtained from other cyber security breaches. This database of leaked passwords should non necessarily be a recent one; due to people'south sustained lack of security consciousness, any list of passwords – even an old 1 – might have worked.

Upon harvesting the accounts, the tool provided some insights into the compromised profiles, like data well-nigh Nintendo Gold Points, Nintendo Shop and Nintendo eShop balance, the user'due south PayPal ID, credit card type, card expiration, currency, and the get-go 6 and last 4 digits of the credit carte du jour number. And then, some credit card data did leak at the end.

The human being factor of cyber security

What we could obviously learn from this story is that companies should use strict password policies. They can for case follow the countersign policy advisory from the National Institute of Standards and Technology (NIST), most importantly the NIST Special Publication 800-63B Digital Identity Guidelines, Section v.1.1 that specifically deals with password policy best practices. Complementing this, the operation team should continuously monitor for weak or stolen passwords. Finally, it is a good thought to make two-factor authentication obligatory; to date there is no substantial resistance against such solutions anymore, users accepted information technology as a ways of more secure authentication (psychological acceptability is always an of import principle when designing security solutions).

Likewise the above, Mitre ATT&CK also provides some all-time practices to mitigate credential stuffing in general. In improver to the already mentioned, you should not let more a few failed login attempts. But be careful with business relationship lockout: malicious locking-out of other users may be done purposeful – only think about a bad guy preventing their "opponents" to enhance their bid on eBay. We exercise non want to requite whatever more ideas…

Of course, cyber security is not only on companies and developers; users should also be security-aware and be witting about the security of their accounts. A few of import steps: create different passwords for dissimilar sites, have long and strong passwords that are hard to crack – a minimum of 8 characters is a proficient starting indicate confronting animate being forcing. Password managers are of neat assistance in general.

Reacting to the incident, Nintendo abolished logins to all Nintendo Accounts (used east.yard., past the Nintendo Switch gaming panel since 2017) via NNID and reset passwords of compromised NNIDs as well as unmarried sign-on accounts (the company introduced this in 2016 onto various services: one could create such an business relationship via an e-mail accost, Facebook, Google or Twitter). In addition to this, Nintendo warned users not to use the same password for NNID and the Nintendo Business relationship equally that would let paying illegally with the user's registered credit card or PayPal account.

Finally, they besides suggested setting up ii-footstep verification for better security.

Our courses become in depth on how to implement authentication correctly: how to employ multi-cistron authentication (and which implementations to utilise), how to handle countersign policies, and how to follow the industry best practices for password storage. We can help you avert the pitfalls that Nintendo barbarous into – and more!