The security incident affecting 160 000 Nintendo accounts: why password reuse is bad, and what is credential stuffing?

On April 24, 2020, the electronics and gaming company Nintendo announced a cyber security incident that was going on since the beginning of the month. They admitted that somebody spoofed Nintendo Network ID logins (NNID, used in older products like Nintendo 3DS or the Wii U console) using information “illegally obtained from other than our service by some means“. The company first referred to the size of the breach as “some Nintendo Accounts were illegally logged in via NNID“.

NNID is a legacy authentication system that does not provide two-factor authentication, and this is one of the most important circumstances that allowed this breach to happen at all. The typical flow of two-factor authentication is proving your identity by, on one hand, something you know (your password), and on the other hand, something you have (that is, your mobile phone). Even if the password leaks due to a cyber security incident like this one, the attacker cannot access or mimic your mobile phone, and consequently cannot log in. Nintendo’s uses a mobile app, namely, Google Authenticator; however, that was not an option in case of NNID-based authentication. Moreover, to make it easy to enter the passwords even on handheld consoles, the minimal password size of NNID was 6 characters. This resulted in very weak passwords that one can recover even by a brute force attack. The industry standard minimal size is 8 characters.

Later in the announcement they concretized the size of the breach, stating that the cyber security incident affected 160 000 accounts. From that, 1% of these accounts were used for fraudulent trade. Concerning the type of the accessed data, nickname, date of birth, country, region, and e-mail address were revealed. Nintendo emphasized that credit card information did not leak, but as we will see later, this was just partially true.

Credential stuffing

According to Hot for Security, the attack might have been a credential stuffing attack: the hackers simply tried to apply usernames and passwords from other breaches. People tend to use the same credentials on multiple sites, and this can easily lead to cross-site compromise.

In a credential stuffing attack, criminals try to log in into a system manually or by using tools with usernames and passwords leaked elsewhere, in other breaches. The Mitre ATT&CK entry on this issue states that “Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised, and the user account credentials accessed”. When there is a match, the data thief can exploit the compromised accounts or sell them on the black market. This is valuable information because of credential overlap, that is, people use the same password on different sites. This is unfortunately a rather common practice: according to research done by LogMeIn, 59 percent of users admit doing this.

The Nintendo attack was not an isolated one, of course – there are quite a few famous cases besides it. In August 2018, British health and beauty retailer Superdrug was blackmailed with a claim that twenty thousand user accounts were compromised in a credential stuffing attack based on hacks and spillages. In October 2016, attackers got hold of private data of Uber’s customers by using authentication information of Uber employees from previous data breaches. Again, this was possible as employees used the same passwords on multiple sites. Although two-factor authentication was available, it was not activated for these accounts. This led to the compromise of 32 million users’ records and 3.7 million drivers’ data. The attackers blackmailed Uber, and they paid, but did not publish the cyber security incident until a year later. All this resulted in a fine of 385 000 GBP by the UK Information Commissioner’s Office.

Tales from the dark side

Credential stuffing attacks can be generic or custom. In a generic attack, the perpetrator uses a boxed software like Sentry MBA or HashCat with a properly set configuration file. For a custom attack, attackers develop a proprietary tool. In the latter case, this custom tool has a price on the black market as some expertise is needed for one to write such a tool.

Interestingly, an online fraud prevention and cyber security company Spycloud got access to the source code of the custom account checker tool that was specifically written to steal Nintendo accounts. A notable feature of this application was a strong defense layer against unauthorized users (just to make it clear: user here means the bad guy who bought this tool from another bad guy who developed the tool). It applied certain copy protection techniques and did not allow using it without payment or running it on more computers. First and foremost, it had a kill switch that allowed the developer to delete the program from the user’s computer. It also protected itself against debugging and by checking for the presence of WireShark, Fiddler or some other common reverse engineering and sniffing tools. If such a tool was detected, the program’s execution got aborted immediately by triggering the kill switch. However, the list of banned tools was a blacklist, so this was just a bit of annoyance if someone really wanted to understand how this tool worked.

The account checker also used proxies to hide the IP address of the attacker. This made it harder for the attacked site to tell it apart from legitimate traffic. A malicious user had to configure these proxies as well as provide the list of user-password pairs obtained from other cyber security breaches. This database of leaked passwords should not necessarily be a recent one; due to people’s sustained lack of security consciousness, any list of passwords – even an old one – might have worked.

Upon harvesting the accounts, the tool provided some insights into the compromised profiles, like data about Nintendo Gold Points, Nintendo Store and Nintendo eShop balance, the user’s PayPal ID, credit card type, card expiration, currency, and the first 6 and last 4 digits of the credit card number. So, some credit card data did leak at the end.

The human factor of cyber security

What we could obviously learn from this story is that companies should apply strict password policies. They can for example follow the password policy advisory from the National Institute of Standards and Technology (NIST), most importantly the NIST Special Publication 800-63B Digital Identity Guidelines, Section 5.1.1 that specifically deals with password policy best practices. Complementing this, the operation team should continuously monitor for weak or stolen passwords. Finally, it is a good idea to make two-factor authentication obligatory; to date there is no substantial resistance against such solutions anymore, users accepted it as a means of more secure authentication (psychological acceptability is always an important principle when designing security solutions).

Besides the above, Mitre ATT&CK also provides some best practices to mitigate credential stuffing in general. In addition to the already mentioned, you should not allow more than a few failed login attempts. But be careful with account lockout: malicious locking-out of other users may be done purposeful – just think about a bad guy preventing their “opponents” to raise their bid on eBay. We do not want to give any more ideas…

Of course, cyber security is not only on companies and developers; users should also be security-aware and be conscious about the security of their accounts. A few important steps: create different passwords for different sites, have long and strong passwords that are hard to crack – a minimum of 8 characters is a good starting point against brute forcing. Password managers are of great help in general.

Reacting to the incident, Nintendo abolished logins to all Nintendo Accounts (used e.g., by the Nintendo Switch gaming console since 2017) via NNID and reset passwords of compromised NNIDs as well as single sign-on accounts (the company introduced this in 2016 onto various services: one could create such an account via an e-mail address, Facebook, Google or Twitter). In addition to this, Nintendo warned users not to use the same password for NNID and the Nintendo Account as that would allow paying illegally with the user’s registered credit card or PayPal account.

Finally, they also suggested setting up two-step verification for better security.

Our courses go in depth on how to implement authentication correctly: how to use multi-factor authentication (and which implementations to use), how to handle password policies, and how to follow the industry best practices for password storage. We can help you avoid the pitfalls that Nintendo fell into – and more!