According to what press release in Japanese and as suggested by the way Ars Technica Recently, the fraudsters obviously went through the old Nintendo Network accounts (NNID), used at the time on Wii U and 3DS, to access current Nintendo Switch accounts and make purchases illegally. From this flaw, fraudsters were able to hijack PayPal accounts linked to Nintendo accounts to make purchases on the backs of users, especially those who kept their old password whose level of protection was limited.
This is why Nintendo, which also press release in French in a less transparent way, has just blocked any connection using an NNID and once again recommends to all Switch users to activate the two-step validation. Those who used NNID information to log into their Switch account will also receive an email to reset their password and are asked to use a new unique password that no one else can retrieve on the internet.
Accessible personal data, not bank information
The manufacturer claims in any case that the fraudsters were able to access certain personal data of the victims such as name, e-mail address, date of birth and nationality, but the information linked to bank cards remained out of reach of criminals. According to Nintendo, this phenomenon would have started from the beginning of April, when the Twitter account of Nintendo was just splitting an (innocent?) little safety reminder
While apologizing and promising to be extra careful to prevent this kind of security breach from happening again, Nintendo also undertakes to compensate anyone who has been the victim of a fraudulent purchase made on its own shops (eShop and My Nintendo Store).
