Last month, we reported about a surge of takeover attacks that targeted Nintendo Switch account holders. The hackers somehow managed to break into these accounts and used the connected PayPal wallets to buy stuff like Fortnite “V-Bucks.” Nintendo hasn’t provided an in-depth explanation concerning these events - they simply advised users to enable two-factor authentication, review their sign-in history, and sign-out from any devices that they are not actively using. A piece by Motherboard presents a possible explanation for the recent Nintendo Switch account takeover wave, and the finger is actually pointed on Nintendo’s login system.
As the researcher Runa Sandvik discovered, the ‘OK’ button on the login dialog of the Nintendo e-shop will only light up when the user enters the valid password (that matches the email address). Moreover, the button lights up if the user enters the correct first eight characters of their password. This doesn’t mean that if you click it, you will log in, as the full password will have to be entered for that. However, it does give a clue on what the first eight characters are. For a “typical” 12-character password, the hacker would only have to guess another four characters.
This is like giving someone a “free pass” to try as many eight-character combinations as they wish, and the system will let them know when they’ve entered a valid one. If it’s a passphrase, guessing the remainder would be pretty easy. All that said, this flawed system seems to provide a pretty good explanation around the recent surge of the takeover attacks. Nintendo may have chosen to implement this “confirmation” system to make things a bit more convenient on the login screen. Still, the security implications and, by extension, the consequences that arise from this decision are dire.
Finally, this raises the question of how Nintendo stores user passwords in the first place. The gaming company should not be able to compare plaintext to plaintext, as the passwords should be stored in a hashed form on its systems. Being able to compare and match them, though, indicates that there’s no cryptographic step in the way - at least not for the first eight characters of your password. If you haven’t activated two-factor authentication on your Switch account yet, you should do it immediately. Nintendo hasn’t responded to this story yet, so we can’t say if that they’re planning to amend the login screen and change the ‘OK’ button behavior.