Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

24,000 Nintendo Site Accounts Compromised

samzenpus posted about a year ago | from the protect-ya-neck dept.

Security 36

hypnosec writes "Nintendo has revealed that it has detected illicit logins in nearly 24,000 accounts on one of the main fan sites in Japan 'Club Nintendo' and account details such as real names, addresses, emails and phone numbers may have been accessed. According to Nintendo the mass login attempts have been made using a list of login credentials containing usernames and password obtained from some service other than Nintendo. The company revealed that it detected over 15 million login attempts out of which 23,926 were successful."

Sorry! There are no comments related to the filter you selected.

24,000 Accounts? (3, Funny)

CanHasDIY (1672858) | about a year ago | (#44216563)

So... all of them, then?

Zing.

Re:24,000 Accounts? (1)

Trepidity (597) | about a year ago | (#44216931)

The article notes that they have 4 million users just in Japan, oddly enough. That's about 3% of Japan's population.

Re:24,000 Accounts? (0)

Anonymous Coward | about a year ago | (#44216959)

l: mario
p: luigi

Just guessing? (4, Insightful)

jandrese (485) | about a year ago | (#44216579)

24,000 successful logins from 15 million attempts sounds like a brute force attack. I wouldn't be surprised at all if all of those compromised accounts had horrible easy to guess passwords.

Re:Just guessing? (1, Insightful)

ciderbrew (1860166) | about a year ago | (#44216601)

I have lots of easy to guess passwords if they allow 15 million attempts on an account.

Re:Just guessing? (4, Insightful)

Mashdar (876825) | about a year ago | (#44216703)

GP meant that they tried several easy passwords on many more than 24,000 accounts. 24,000 / 15,000,000 = .16% success rate... This might be the fraction of accounts using 12345 as a password.

Re:Just guessing? (1)

jandrese (485) | about a year ago | (#44216807)

Right, assuming Nintendo didn't enforce any useful password requirements, there are probably tens of thousands of accounts with 12345, god, and password as their passwords.

Re:Just guessing? (1, Interesting)

ciderbrew (1860166) | about a year ago | (#44216899)

How much brute force traffic do you expect before you do something? Especially after Sony got a kick in the nuts with this. Also, I'd expect children to have awful dictionary passwords with only the cleverer dyslexic kids being safe. Their own name and some numbers being the limit. Shame, they could have set some pictures and set up a really good Nintendo'ish password system. More secure than adult stuff now I come to think how it would work.

Re:Just guessing? (0)

Anonymous Coward | about a year ago | (#44217245)

Shame, they could have set some pictures and set up a really good Nintendo'ish password system.

Porygon causing attackers to have seizures?

Well, it's not exactly ICE, but it'll do.

Re:Just guessing? (1)

parkinglot777 (2563877) | about a year ago | (#44218273)

How much brute force traffic do you expect before you do something?

Obviously, you did not read TFA. Yes, it creates traffic, but it might not create enough noticeable traffic at first until it became obvious later on.

On further investigation Nintendo found that the attempts started on June 9 and the scattered instances of illicit logins became a problem on July 2.

Re:Just guessing? (1)

Charliemopps (1157495) | about a year ago | (#44217209)

I have accounts where the password is something useless like that. Those are on sites where the host forced me to create an account to get a coupon or something similarly idiotic to drive up their subscription rates. I suspect these hackers have a nice long list off accounts for the surname "yourself"

Re:Just guessing? (1)

Trax3001BBS (2368736) | about a year ago | (#44220365)

I have accounts where the password is something useless like that. Those are on sites where the host forced me to create an account to get a coupon or something similarly idiotic to drive up their subscription rates

When you come across these sites you should post your log-in info to http://www.bugmenot.com/ [bugmenot.com]
It's helped me get into sites that I didn't wish to log into and I pay back by posting log-in's myself.
It's become well known and many sites have requested theirs not be listed; but in the long run it works very well.

Re:Just guessing? (0)

Anonymous Coward | about a year ago | (#44220849)

I suspect these hackers have a nice long list off accounts for the surname "yourself"

Let me guess, first name "Go", middle initial "F"?

Re:Just guessing? (1)

hairyfeet (841228) | about a year ago | (#44218469)

Well at least in my neck of the woods the most popular number combo is folks SSN scarily enough. i don't know how many times I have had a customer write down their username and password so I can get in and do the work only to find its their SSN.

This is why I have been saying for years we really need smart cards or biometrics or something, as the amount of people out there using crazy simple passwords is just nuts. Their SSN, their BDay, the name of their kid or pet, people honestly don't think when it comes to passwords so i'm honestly amazed a brute force attack scored so little, i figured it would be much higher.

Re:Just guessing? (2)

tlhIngan (30335) | about a year ago | (#44216709)

I have lots of easy to guess passwords if they allow 15 million attempts on an account.

More like they tried 15M attempts at logging in with various username-password combinations, of which 24,000 of them were successful.

Though, given how little information Nintendo asks, one wonders what the whole point is - I don't think Nintendo even asks for an address until they absolutely need it, so if it was an account created but not really used, there's no information at all. Maybe a few coins, but you can't take them from one account and consolidate them to another...

Of course, Nintendo's entire online thing is a bit iffy to begin with - there's at least three different logins for three different systems, none of which are combined - you have a support account, a Nintendo Network account (Wii U) and a Club Nintendo account.

I suppose a lot of the separation is because well, all the child privacy and protection laws really make it hard to even get something like an email address...

Re:Just guessing? (0)

Anonymous Coward | about a year ago | (#44216729)

Your passwords are 4 characters or less?

Re:Just guessing? (2)

jkflying (2190798) | about a year ago | (#44216853)

Standard english grammar has 1.1 bits of information per character (at least in larger text bodies).

Re:Just guessing? (1)

ciderbrew (1860166) | about a year ago | (#44216915)

Hey. I see what you're doing there.

Re:Just guessing? (0)

Anonymous Coward | about a year ago | (#44216941)

My password is exactly 4 characters, and "less".

Re:Just guessing? (0)

Anonymous Coward | about a year ago | (#44217089)

Sooner or later, even yo mamma gets hacked.

Re:Just guessing? (1)

Guppy06 (410832) | about a year ago | (#44217119)

24,000 out of 15 million? If it really is brute force, why so few?

Re:Just guessing? (1)

TheSkepticalOptimist (898384) | about a year ago | (#44217527)

because that is exactly the definition of a brute force, using non-impressive means to gain access to accounts by people stupid enough to use easy to guess passwords.

Re:Just guessing? (1)

Guppy06 (410832) | about a year ago | (#44220051)

using non-impressive means to gain access to accounts by people stupid enough to use easy to guess passwords.

So you believe that only 24,000 out of 15,000,000 used "easy to guess passwords?"

Re:Just guessing? (0)

Anonymous Coward | about a year ago | (#44221123)

Now you're just being an ass.
Why do I say this? Because there weren't 15,000,000 accounts to begin with. Its 15,000,000 attempts. Now get back to Reading Comprehension class, you fucking need it.

Re:Just guessing? (0)

Anonymous Coward | about a year ago | (#44217135)

it'sa meeeee... username:_____/password:mario would be my guess

Re:Just guessing? (1)

medv4380 (1604309) | about a year ago | (#44218251)

Or if all of them happen to be the same Username Password combo from UPlay.

Oh no! (0)

Anonymous Coward | about a year ago | (#44217041)

I better check my account - maybe the hackers found something useful to spend my glut of "coins" on. I sure as hell haven't had much luck with that.

Username or Email? (1)

WillgasM (1646719) | about a year ago | (#44217205)

Does Club Nintendo use unique usernames, or email addresses for login? Someone probably just got a hold of one of those old Facebook or Twitter lists and decided to try those creds here. Most people use the same password for everything. I'm always reminded of this when setting up an account on random gaming forums. Who's to say they aren't just collecting creds and then later trying them on Facebook, Twitter, etc or getting into my game account and sharding my purples.

How is brute force even a viable means of hack? (1)

TheSkepticalOptimist (898384) | about a year ago | (#44217613)

It should be very obvious how to guess the difference between a human logging in an a bot.

If a user is generating 100k failed password attempts a minute, day, week, month, or even a year, chances are they are a bot.

Also if someone is logging in from various places around the world, chances are its a bot. If the user sets up an account from the US or Canada, but is logging in from China one minute then Russia another, its probably a bot.

Also even if the bot has 1 failed attempt a day using some discretionary attack, at some point a server should realize that there is no human stupid enough to fail to enter a password properly on a regular basis. I mean once you enter your password in most browser or on the Wii console, you don't even have to type it in again, so 3 failed attempts in any given period of time should lock you out of your account, period.

What I feel will be the "incorrect" response:

1) Make your password require 10+ characters and the use of special requirements such as caps, digits and symbols
2) Implement some capctha system to prove you are human every time you want to do anything on the system, even after you have logged in.
3) Probably implement some crazy recovery system including having to mail you your password through snail mail to recover the account.

But the reality is I can't understand how any password system could even allow brute force password hacks. Except in the case where you make a one time attempt and use a generic commonly used password list, chances are any system is going to have to make many failed attempts before it gets it right, and there is no way a server should allow more than a few failed attempts before locking down.

Re:How is brute force even a viable means of hack? (1)

tlhIngan (30335) | about a year ago | (#44218233)

Also even if the bot has 1 failed attempt a day using some discretionary attack, at some point a server should realize that there is no human stupid enough to fail to enter a password properly on a regular basis. I mean once you enter your password in most browser or on the Wii console, you don't even have to type it in again, so 3 failed attempts in any given period of time should lock you out of your account, period.

Except Club Nintendo is NOT tied to anything you already have. It's a separate account and everything.

In fact, it's sort of useless because all it's good for is entering those codes you get with the system and games, which gives you access to prizes. There's very little personal information (you only need an email address to sign up), and there's absolutely no financial information at all - the rewards of Club Nintendo are paid for completely by Nintendo - no shipping, etc.

Heck, even shipping addresses may not be all that special, if they're retrievable. And Nintendo only asks for those when they need it.

Re:How is brute force even a viable means of hack? (1)

fast turtle (1118037) | about a year ago | (#44221313)

Guildwars - I've screwed up and typo'd the damn pw (n)x times in a row w/o hitting their limit. Of course, it's also a registered IP with them so maybe the system would lock things if to many failures from various unrecognized locations.

Linked to Pokémon fansite hack? (1)

ais523 (1172701) | about a year ago | (#44218949)

A bunch of Pokémon fansites were hacked recently (here's one reasonably detailed report from one of the sites). Although as far as I know no plaintext passwords were stored on any of the servers, there were a bunch of password hash databases taken; and because Pokémon is a Nintendo property, Nintendo's website would be an obvious place to try any username/password pairs that were weak enough to be reversed from the databases (and some plaintext passwords would be available as a result of compromised login forms).

Many of the hacked sites (that I know about, at least) were reasonably small, with user counts measured in thousands; as such, 24 thousand total seems to be a reasonable estimate for the number of accounts that might have been affected.

Fine, I'll say it (1)

slashmydots (2189826) | about a year ago | (#44221145)

So...just morons with awful, generic, guessable passwords?

Yahoo hack led to this (1)

bunkymag (1567407) | about a year ago | (#44221605)

As per the parent post they were referencing a list of usernames and passwords sourced 'elsewhere'. Yahoo jp edition lost pretty much everyone's details about six weeks back [wired.co.uk] - this is more than likely the source.

I have a club nintendo jp account (no notice of hacking yet, though I did receive notice from Yahoo above). From memory the user ID for the club nintendo service needed to be an eight digit number rather than a more usual word based UID. That could easily explain the perceived low success rate of the hack attempts.

Mamamiya! (0)

Anonymous Coward | about a year ago | (#44224147)

All I can think of when Shigeru Miyamoto heard about this, he must of said "Mamamiya! That's-a crazy pizcha-pi-ya!"

indoemu (0)

Anonymous Coward | about a year ago | (#44348045)

excuse me ..
I am from southern Sumatra, Indonesia ..
maybe for you I'm still too far from perfect for the management of the website ..
but I will try and always strive to be better ..
I ask you please to visit my website ..
http://www.indoemu.com/
all about ISO, PSX Emulator game ..
I apologize in advance and thank you very much for the opportunity to comment here ..
once again thank you very much

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?