Over the past few days, users of Nintendo consoles may have been notified of unrecognized logins on their Nintendo accounts. The company acknowledged the widespread reports of suspicious activity and said it was looking into the issue, and today, it issued an official statement on its Japanese website acknowledging the breach.
According to Nintendo, attackers leveraged Nintendo Network ID (NNID), the login system that was most prominent in the Nintendo 3DS and Wii U era. Nowadays, Nintendo accounts can be accessed in a number of ways, primarily a simple e-mail and password, but an NNID can be linked to a Nintendo account and used as a login option, which is what these attackers used to gain access.
As a result of the attack, Nintendo has now disabled the ability to login using an NNID altogether, and it's asking potentially affected users to reset both their NNID and Nintendo account passwords. Nintendo notes that if you use the same password for your NNID and the Nintendo account, it may have been possible for an attacker to make purchases on your behalf using PayPal or a linked credit card, and it urges users to have different passwords for the two accounts. If you notice suspicious payments on your account, Nintendo asks that you report it so that the purchases can be cancelled.
As for how many users were affected, Nintendo estimates around 160,000 accounts may have been logged into, granting attackers access to personal information such as gender, birth date, and e-mail address. Payment information is not included in the information that can be accessed, but as mentioned above, it may be usable on the eShop if your Nintendo account password is the same as the NNID password.
If you fear you've been affected, you'll want to reset your passwords as soon as possible, and enable two-step authentication for login on your account.