Nintendo rewards program site hacked, names, email addresses and phone numbers possibly compromised

[Erica Absetz <erica () riskbasedsecurity com>]

http://thenextweb.com/insider/2013/07/05/nintendo-reward-program-site-hacked-members-names-email-addresses-and-phone-numbers-possibly-compromised/

Nintendo admitted today that Club Nintendo, a loyalty program that
gives players exclusive products in exchange for registering their
consoles and games, has been hacked.

The company launched an investigation on July 2 after witnessing a
“large” number of errors on the site. Nintendo can now confirm that
23,9326 unauthorized log-ins occurred between June 9 and July 4, as
well as over 15 million attempts.

Spotted by Kotaku, the video game giant says users’ names, addresses,
phone numbers and email addresses may have been affected as a result
of the breach. Any unauthorized use of Club Nintendo points, the
virtual currency used to buy rewards, has not been confirmed at this
time.

None of the goods and services sold through Club Nintendo require
payment, so there’s absolutely no chance of any credit or debit card
information being leaked as part of the breach. Players can only
redeem prizes based on the points they receive for each registered
game or console, somewhat reducing the impact of the hack.

Nintendo has invalidated all Club Nintendo passwords and issued an
email to members asking that they reset their password at the earliest
opportunity. Nintendo is now looking to strengthen its security and
monitoring procedures to ensure such an incident doesn’t happen again.

It’s also worth noting that while Nintendo released the statement from
its Japanese site, it’s not yet clear if the hack is limited to the
domestic version of Club Nintendo, or international variants as well.

Video game publisher Ubisoft confirmed earlier this week that one of
its websites was also hacked, resulting in the compromise of
usernames, email addresses and encrypted passwords.

The company didn’t reveal which site was affected, but confirmed that
no personal payment information was taken, again because no financial
data was stored on its servers. Ubisoft has since launched an
investigation with “relevant authorities, internal and external
security experts.”

Both of these incidents pale in comparison to the PlayStation Network
hack in April 2011, which compromised a whole host of user information
including names, birth dates and encrypted password. A database of
credit card numbers was also stolen, although Sony reported that these
were also protected by industry standard encryption.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.