Hackers Crash the (Mario) Party at Club Nintendo
Nintendo fansite and rewards program Club Nintendo was the target of a month-long brute force attack.
A Nintendo fan site has been hit with a series of mass login attempts, whereby cybercriminals attempted to break into users' accounts to steal their personal information.
Nintendo said today that over the past month, 15.5 million login attempts were made to the Japanese accounts of a website called Club Nintendo, which the Nintendo company operates. Of those login attempts, 23,926 were successful.
This type of attack, called a "brute force" attack, is fairly simplistic in nature: The criminals write a program that tries thousands and thousands of possible username and password combinations until they find one that works.
To illustrate the scale of these "brute force" attacks, Club Nintendo only has about 4 million registered Japanese users. That means that the hackers — or rather, their program — tried approximately 3 million passwords per account. [See also: Security Experts Blast Ubisoft for Data Breach]
It's important to note that a strong password — one that's not an actual word, and contains numbers and nonletter characters — has a much better chance of standing up to such an attack.
These criminals weren't able to steal any financial information from the compromised accounts, but that's only because Club Nintendo doesn't handle financial information. The site's main purpose is as a fan networking hub and a rewards program; users can register purchased Nintendo products for points, sometimes called "coins" after the items in the "Mario" video games.
These points can then be used to redeem other prizes. The idea is similar to an arcade, where people pay to play games and then earn tickets, which they can then trade in for simple prizes.
Aside from these points, the only other information that the criminals could have gleaned from attacking Club Nintendo accounts is users' email addresses and possibly their names, phone numbers and addresses if they chose to provide them.
Nintendo has already alerted the compromised users and changed their passwords, but that doesn't change the fact that the criminals may now have a huge list of names and email addresses. That information could be used for further scams, such as "spearphishing"—when cybercriminals send emails with information that the user would find highly relevant in order to trick them into clicking malicious links or downloading malware—or other email-based attacks.
"What is perhaps most alarming is the length of time that the Club Nintendo website was being bombarded by attempts to break into customer accounts," security expert and blogger Graham Cluley wrote today.
"It’s hard to imagine that a sustained attack like that could have gone unnoticed for nearly one month and suggests poor stewardship by Nintendo’s security team."
A strong password would have been enough to keep users safe. It's also a good idea to use a different password for each account, because if a Club Nintendo user had been compromised on a different account, the criminals might have been able to use that password to break into this one.