24,000 Nintendo Site Accounts Compromised

hypnosec writes "Nintendo has revealed that it has detected illicit logins in nearly 24,000 accounts on one of the main fan sites in Japan 'Club Nintendo' and account details such as real names, addresses, emails and phone numbers may have been accessed. According to Nintendo the mass login attempts have been made using a list of login credentials containing usernames and password obtained from some service other than Nintendo. The company revealed that it detected over 15 million login attempts out of which 23,926 were successful."

24,000 Accounts?

[CanHasDIY]

So... all of them, then?

Zing.

Re:

[Trepidity]

The article notes that they have 4 million users just in Japan, oddly enough. That's about 3% of Japan's population.

Just guessing?

[jandrese]

24,000 successful logins from 15 million attempts sounds like a brute force attack. I wouldn't be surprised at all if all of those compromised accounts had horrible easy to guess passwords.

Re:

[ciderbrew]

I have lots of easy to guess passwords if they allow 15 million attempts on an account.

Re:Just guessing?

[Mashdar]

GP meant that they tried several easy passwords on many more than 24,000 accounts. 24,000 / 15,000,000 = .16% success rate... This might be the fraction of accounts using 12345 as a password.

Re:

[jandrese]

Right, assuming Nintendo didn't enforce any useful password requirements, there are probably tens of thousands of accounts with 12345, god, and password as their passwords.

Re:

[ciderbrew]

How much brute force traffic do you expect before you do something? Especially after Sony got a kick in the nuts with this. Also, I'd expect children to have awful dictionary passwords with only the cleverer dyslexic kids being safe. Their own name and some numbers being the limit. Shame, they could have set some pictures and set up a really good Nintendo'ish password system. More secure than adult stuff now I come to think how it would work.

Re:

[parkinglot777]

How much brute force traffic do you expect before you do something?

Obviously, you did not read TFA. Yes, it creates traffic, but it might not create enough noticeable traffic at first until it became obvious later on.

On further investigation Nintendo found that the attempts started on June 9 and the scattered instances of illicit logins became a problem on July 2.

Re:

[Charliemopps]

I have accounts where the password is something useless like that. Those are on sites where the host forced me to create an account to get a coupon or something similarly idiotic to drive up their subscription rates. I suspect these hackers have a nice long list off accounts for the surname "yourself"

Re:

[Trax3001BBS]

I have accounts where the password is something useless like that. Those are on sites where the host forced me to create an account to get a coupon or something similarly idiotic to drive up their subscription rates

When you come across these sites you should post your log-in info to http://www.bugmenot.com/ [bugmenot.com]
It's helped me get into sites that I didn't wish to log into and I pay back by posting log-in's myself.
It's become well known and many sites have requested theirs not be listed; but in the long run it works very well.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[tlhIngan]

I have lots of easy to guess passwords if they allow 15 million attempts on an account.

More like they tried 15M attempts at logging in with various username-password combinations, of which 24,000 of them were successful.

Though, given how little information Nintendo asks, one wonders what the whole point is - I don't think Nintendo even asks for an address until they absolutely need it, so if it was an account created but not really used, there's no information at all. Maybe a few coins, but you can't take t

Re:

[jkflying]

Standard english grammar has 1.1 bits of information per character (at least in larger text bodies).

Re:

[ciderbrew]

Hey. I see what you're doing there.

Re:

[Guppy06]

24,000 out of 15 million? If it really is brute force, why so few?

Re:

[TheSkepticalOptimist]

because that is exactly the definition of a brute force, using non-impressive means to gain access to accounts by people stupid enough to use easy to guess passwords.

Re:

[Guppy06]

using non-impressive means to gain access to accounts by people stupid enough to use easy to guess passwords.

So you believe that only 24,000 out of 15,000,000 used "easy to guess passwords?"

Re:

[medv4380]

Or if all of them happen to be the same Username Password combo from UPlay.

Username or Email?

[WillgasM]

Does Club Nintendo use unique usernames, or email addresses for login? Someone probably just got a hold of one of those old Facebook or Twitter lists and decided to try those creds here. Most people use the same password for everything. I'm always reminded of this when setting up an account on random gaming forums. Who's to say they aren't just collecting creds and then later trying them on Facebook, Twitter, etc or getting into my game account and sharding my purples.

How is brute force even a viable means of hack?

[TheSkepticalOptimist]

It should be very obvious how to guess the difference between a human logging in an a bot.

If a user is generating 100k failed password attempts a minute, day, week, month, or even a year, chances are they are a bot.

Also if someone is logging in from various places around the world, chances are its a bot. If the user sets up an account from the US or Canada, but is logging in from China one minute then Russia another, its probably a bot.

Also even if the bot has 1 failed attempt a day using some discretionar

Re:

[tlhIngan]

Also even if the bot has 1 failed attempt a day using some discretionary attack, at some point a server should realize that there is no human stupid enough to fail to enter a password properly on a regular basis. I mean once you enter your password in most browser or on the Wii console, you don't even have to type it in again, so 3 failed attempts in any given period of time should lock you out of your account, period.

Except Club Nintendo is NOT tied to anything you already have. It's a separate account and

Re:

[fast turtle]

Guildwars - I've screwed up and typo'd the damn pw (n)x times in a row w/o hitting their limit. Of course, it's also a registered IP with them so maybe the system would lock things if to many failures from various unrecognized locations.

Linked to Pokémon fansite hack?

[ais523]

A bunch of Pokémon fansites were hacked recently (here's one reasonably detailed report from one of the sites). Although as far as I know no plaintext passwords were stored on any of the servers, there were a bunch of password hash databases taken; and because Pokémon is a Nintendo property, Nintendo's website would be an obvious place to try any username/password pairs that were weak enough to be reversed from the databases (and some plaintext passwords would be available as a result of compromis

Fine, I'll say it

[slashmydots]

So...just morons with awful, generic, guessable passwords?

Yahoo hack led to this

[bunkymag]

As per the parent post they were referencing a list of usernames and passwords sourced 'elsewhere'. Yahoo jp edition lost pretty much everyone's details about six weeks back [wired.co.uk] - this is more than likely the source.

I have a club nintendo jp account (no notice of hacking yet, though I did receive notice from Yahoo above). From memory the user ID for the club nintendo service needed to be an eight digit number rather than a more usual word based UID. That could easily explain the perceived low success rate of