Nintendo Switch owners are being encouraged to lock down their accounts after a wave of fraudulent attacks.
The hacks involve a user logging into a person’s Nintendo account – and often using a linked PayPal account to make expensive purchases.
Several reports say the attacks have intensified in recent weeks, with staff at popular technology and gaming sites among those affected.
Nintendo recommends using two-factor authentication to protect accounts.
The attacks have been going on for months, but appear to have increased in the past few weeks.
One staff member at gaming site Eurogamer had their account accessed, the website reported, as did another at Ars Technica.
Administrators of the Nintendo forum on Reddit also said there had been a “notable” number of reports in the past few days.
What is happening?
Owners of the Switch console can buy games from Nintendo’s online shop – but can also purchase digital currencies for popular games such as Fortnite.
For convenience, Nintendo also allows users to pay through PayPal by linking their accounts.
In the past month, players have been posting on Twitter, Reddit, and elsewhere about their PayPal accounts being used to buy hundreds of dollars of games or “V-bucks”, Fortnite’s digital currency. Technology site ZDNet reports finding adverts online by hackers offering those V-bucks for resale.
Similar attacks on other services often use passwords that are re-used on multiple accounts. When a data breach exposes passwords for one site, attackers often try the same username and password combination on hundreds of others, hoping to find a match. But many online posts claiming to have been attacked say they use unique passwords for their Nintendo account.
One prominent affected user, the operator of the LootPots site, has speculated that the attacks may be linked to Nintendo’s older account system, the Nintendo Network ID.
It was used for previous WiiU and Nintendo 3DS systems. It can be linked to the newer, Switch-compatible Nintendo account – which may offer a way in using an older password that may have been compromised.
How can I protect myself?
While Nintendo has not directly addressed the reported increase in attacks, it has tweeted encouraging users to add two-factor authentication (2FA) to their account. That can be done in the settings page of an account in seconds.
“This is incredibly concerning for Nintendo users,” said Lisa Forte of Red Goat Cyber Security.
“Passwords, for any account, are not the most secure way of signing in. It is essential for users to enable 2FA to make their accounts more secure.
“This means that attackers need another code to log in to your account, not just your password.”
Password managers can also help users create long, complicated passwords that are harder to guess, she said.
“The current Covid-19 pandemic puts online gaming platforms front and centre as targets for attackers. More people are at home gaming and loading money on to their accounts,” Ms Forte said.