back to article 15 MILLION dodgy login attempts spaffed all over Nintendo loyalists

Hackers broke into 24,000 Club Nintendo accounts after pummelling the loyalty-reward website in a month-long assault. The games console titan revealed that the sustained brute-force attack exposed the names, addresses, phone numbers and other personal details of thousands of its customers. Nintendo has reset a number of …

COMMENTS

This topic is closed for new posts.
  1. Irongut

    15M failed logins and it took them a month to detect it? Muppets.

    1. pepper

      Hmm

      A month long brute force, I doubt anyone would miss it. The fact that they LET IT GO ON for a month is more shocking to me... At what point does such a thing become acceptable? I wonder what the criminals were thinking.

      Muppets they are indeed.

      1. Crisp

        Re: I wonder what the criminals were thinking.

        They were probably thinking, "Woah, this is easy... Nintendo have obviously not heard of Intrusion detection."

      2. Anonymous Coward
        Pirate

        Which group of criminals??

        @pepper - "I wonder what the criminals were thinking."

        You mean the criminals at Nintendo who openly promote identity theft against their customers? Or the evil hackers (who probably needed brains about as big as a gerbil's in order to pull off this stunt)?

        1. Anonymous Coward
          Anonymous Coward

          Re: Which group of criminals??

          Once again the victim of a crime is portrayed as the criminal, while the criminal is portrayed as having done nothing wrong, because it was easy.

    2. JDX Gold badge

      Every site like this is constantly suffering a high volume of attempted logins...

    3. Anonymous Coward
      Anonymous Coward

      15M failed logins and it took them a month to detect it? Muppets.

      I think the issue isn't so much detecting it, but protecting against it. A company has to take a decision either to ignore failed logons, or lock an account (even temporarily) and so turn this cracking attempt into a successful denial of service attack. You cannot just lock logon attempts on an IP basis, because that is circumvented by the use of botnets anyway.

      I would have added a CAPTCHA to the login process. That's not perfect, but it will at least demand extra resources from the wannabee cracker.

  2. Miek
    Linux

    Hacking gaming companies seems to be getting more popular, there was an issue a month or two ago, where EA Origin's Battlefield servers suffered DDOS attacks aimed at their authentication servers. I believe they may have made some drastic infrastructure changes after this incident.

    BF3blog.com

    Edit: I forgot to mention the point of my post. Essentially any game company or web enabled service provider that doesn't work hard to ensure their systems are secure should be lambasted for such incompetence.

    Another example, LG produce software called SuperSign, for driving public display screens. It uses Postgres as it's database ... the installer (windows) creates a new user postgres with the password 'postgres', nice, thankfully this can be changed by altering the password and updating the windows service user account settings. Unfortunately, I cannot change the fact that all the (SuperSign) user accounts' passwords are stored in the postgres database in plain text, not even hashed, let alone salted. Amateurs.

  3. h3

    If choosing a decent password is enough then I am far less bothered than if the system is exploited and everything is lost regardless. Depends how many machines they were using as well.

  4. J I

    Soft target?

    I have a Club Nintendo account from when I was living in Japan (which does not appear to have been accessed, fortunately). It seems unlikely to me that anyone was hacking it for the things you can get as they are mostly limited edition Nintendo goods which need physical delivery and aren't particularly valuable anyway. My guess is that the hackers either wanted the kudos of hacking a household name, or were after a soft target for getting personal information they could use for something else.

    1. lglethal Silver badge
      Thumb Up

      Re: Soft target?

      That was kind of my first thought. If the hackers were after something which required a physical delivery, then surely it should be easy to track down the culprits (hint: check the delivery addresses). I know that there are ways to make this more difficult PO Boxes, etc. but anytime you actually have a physical delivery makes the chances of tracking someone a thousand times easier than a purely digital medium...

    2. Kevin 6

      Re: Soft target?

      But outside what games you own, and system serial numbers they only have personal info that you could get out of any phone book.

      When I read this last week I was stumped by what they could steal.

  5. Aristotles slow and dimwitted horse
    Flame

    But according to these companies the internet is the future...

    So stop critisizing poor old thems when they get it wrong. You know... like - buying your games online, micro payments, accounts linked to your finances, all that great sort of stuff that you wanted - because YOU asked for that convenience, and Nintendo, Sony, MS, Apple, Google, Amazon et al are only serving your needs right so why should they be accountable or responsible for anything? And anyway, it's the future so everything will be alright, right? And it's the future because that's what they say it is, right? And everything... right? Right?

    Errr... wrong.

    Fucking idiots.

  6. Greg J Preece

    This is ridiculous. How do you not spot a month-long brute force attack on a system like that? How do the first wave of breaches not give the game away?

    Good thing I already cashed in my excessive number of club points on that rather fetching Link/Epona statue. :-D

  7. Anonymous Coward
    Anonymous Coward

    Some 40 years ago, in an age where the 'attacks' were playful rather than malicious, I was tasked with a system of preventing the brute force method. The solution was to simply delay ten to the power N seconds between login prompts where N was the number of failed attempts. It was also credited with improving the standard of typing as everyone took a bit of extra care, particularly after one mistake.

    1. Anonymous Coward
      Anonymous Coward

      There is one problem with that: in between those fake brute force logins also still hide some genuine users who simply want to use the service they paid for. By delaying logins you turn the brute force cracking attack into a Denial of Service one. Both are not helpful.

  8. Arachnoid

    So I guess they will be claiming 15M sales for that month

  9. Kevin McMurtrie Silver badge

    rm /var/log/clubnintendo/2013-06-*

    There, fixed that low disk space issue!

This topic is closed for new posts.

Other stories you might like