How Multi-Factor Authentication Protected My Nintendo Account

A few days ago, in the middle of the day, while I was working, I received a text message with a two-factor code from Nintendo. However, I was not on my Switch nor was anyone else using Nintendo services at the time. I quickly logged in to the Switch and checked and immediately reset my password.

Very odd and very concerning to a security guru.

Fast forward to today and I see an official announcement from Nintendo that other users have reported unauthorized logins to their Network ID accounts. They finally took action and suspended all Network IDs after the breach was discovered.

I put two and two together and realized this is what I experienced, my Nintendo account was hacked.

https://www.nintendo.co.uk/Support/Support-11593.html

Important Notice

We would like to provide an update on the recent incidents of unauthorised access to some Nintendo Accounts.

While we continue to investigate, we would like to reassure users that there is currently no evidence pointing towards a breach of Nintendo’s databases, servers or services. As one action in our ongoing investigation, we are discontinuing the ability to use a Nintendo Network ID to sign in to a Nintendo Account. All other options to sign-in to a Nintendo Account remain available.

As a further precaution, we will soon contact users about resetting passwords for Nintendo Network IDs and Nintendo Accounts that we have reason to believe were accessed without authorisation.

In addition, we also continue to strongly encourage users to enable two-step verification for their Nintendo Account as instructed here: How to set-up two-step verification for a Nintendo Account.

If any users become aware of unauthorised activity, we encourage them to take the steps outlined in the article about the Nintendo Account recovery process.

During the investigation, in order to deter further attempts of unauthorised sign-ins, we will not reveal more information about the methods employed to gain unauthorised access.

We apologise for the inconvenience and concerns caused to our customers, and we will continue working hard to safeguard the security of our users’ data.

This is a case in point proof that two-factor authentication saved my account from being compromised. In order to trigger the text message with my second factor meant that my username and password were somehow compromised and successfully used.

The second factor, something you have (my phone), stopped the attackers because I had the phone where the second factor was sent, not them. That added level worked as designed and why you should always enable it everywhere you can.

Here’s how you set up two-factor authentication on the Switch – https://www.nintendo.co.uk/Support/Nintendo-Switch/How-to-Set-Up-2-Step-Verification-for-a-Nintendo-Account-1466677.html

You may look at multi-factor authentication as extra work, inconvenient, more things to do, etc… If you put your convenience and the extra 10 seconds it may take to log in to something ahead of your account’s integrity and protecting payment information… well, good luck to you. Because at any moment and any time it will bite you in the end.

Be aware, be safe.