Neither this article nor the previous one (https://www.cnn.com/2020/04/24/tech/nintendo-accounts-hacked...) mention how this breach took place, but I'm guessing it's reasonable to assume that this was related to credential stuffing.

This hit me, and my Nintendo account was using a unique keepass generated password.

Did you have a Nintendo Network ID linked to your Nintendo account though? Was that NNID password secure?

That is quite possible, I do remember some linking at some point, will have to check.

Source (Japanese) https://www.nintendo.co.jp/support/information/2020/0424.htm...

SpyCloud did an interesting writeup on at least one credential stuffing tool used months ago in this attack: https://spycloud.com/technical-analysis-nintendo-account-che...

Another month, another hack on Nintendo accounts... What is up with their security?!

In this case, nothing.

The "attack" was a standard credential stuffing attack (https://en.wikipedia.org/wiki/Credential_stuffing).

Attackers were just using credentials that were leaked in other data breaches to access Nintendo Accounts (Switch and mobile apps), by logging in via a linked Nintendo Network ID (3DS and Wii U).

If the password for your NNID had not been breached in the past (and then reused for the NNID), you wouldn't have been vulnerable. Enabling 2FA would also have protected you against this attack.

Nintendo has solved this by:

a) Resetting NNID passwords when they think someone has been affected

b) Disabling the option to log in to Nintendo Accounts using the NNID username/password.

Not unlike Apple and Sony, when a hardware company starts making web-apps, chances are it's not going to be very good.

It's strange, because Nintendo has such good first-party game development skills, develops entire operating systems for their internet-connected consoles (including security architectures spanning hardware/software).

Even some of Nintendo's top brass have had strong software engineering skills: in the late 1990s, during the development of Pokemon Gold & Silver, the team was struggling so future Nintendo President Satoru Iwata developed and implemented a compression algorithm.

The skills are certainly there.

Developing software that fulfills functionial or gameplay requirements is going to require a very different skillset compared to fulfilling security requirements (user stories become abuser stories, and they aren't always easy to wrap your head around).

Corporate Japan has also lagged behind western companies in this area. The book Business Management and Cybersecurity by Shinichi Yokohama dives into this.

Web security is not the same skill set.

You’d think after this they would just buy Auth0.com and use their skills.

Sony ain't that good in embedded software in general, the Alpha series camera software is ... a hot mess.

Plenty of web apps have giant account breaches as well—late last year DoorDash had almost 5 million accounts get hacked. Over 15x as big as this one.

Japan has slipped very far behind in so many areas, it's really quite sad.

Massive account breaches isn't in any way a Japanese-only problem.

And this is a service Nintendo charges for. How much of that is used to prevent things like this? Or maybe they just budget for the occasional hack happening so they can give people refunds?

Actually this specific breach was with Nintendo Network ID which was an older login system with the 3DS and you didn't have to pay for it.

This attack affected regular Nintendo accounts that are free, not just those using Nintendo Online (the paid service).

It’s also the only way to backup your saves - this is why I stopped using my switch