Gibson Index

2013-07-08: Thousands of Club Nintendo Accounts Hijacked in Brute-Force Attack

Level Two Attack

Nintendo HQ has revealed that their Club Nintendo site, which has over 4 million users, was hacked recently. Customer data including names, home and mailing addresses, and phone numbers were exposed. Credit card information is said not to be at risk, however.

Nintendo is working to strengthen the security of Club Nintendo, and they are also requiring users to update their passwords.

This event is said to have been the result of a brute-force password guessing attack, which worked for around 24,000 accounts after 15 million attempts. Developers are advised to add authentication throttling logic to their applications to avoid situations like this. 15 million failed attempts should be easy to detect.

Update: I've posted a how-to guide on retrofitting PHP applications with authentication throttling to my technology blog. Hopefully it will help folks improve the security on their applications.

Related Links

comments powered by Disqus