Even when a user took it upon herself to close the NNID password hole, the task is unnecessarily painful and problematic. The process of actually changing the password requires accessing the account with a Wii U or 3DS (instructions here), and there’s always the possibility that users no longer own those older systems. It’s still possible to use a browser to reset an NNID password, but in that case, the new password is limited to only eight characters of Nintendo’s choosing. Even worse, Nintendo emails the user the new password in plaintext.
2FA to the rescue
To Nintendo’s credit, the company on Tuesday issued a statement to reporters advising users of hijacked accounts to enable two-factor authentication on their accounts, and all available evidence suggests this protection will prevent unauthorized access both directly and through NNIDs. The company, it should also be noted, provides instructions here for unlinking an NNID to a current account, but those instructions are not easy to find. Moreover, Nintendo continues to offer incentives to encourage keeping the accounts linked.
Nintendo’s statement to reporters recommending the use of 2FA is a step in the right direction, but from the start, emails notifying users of new sign-ins should have provided this advice. The emails also should have advised password resets not only for current accounts but also for NNIDs, as well as directions for unlinking the two. And in keeping with a concept known as defense in depth—which uses multiple layers of protection to secure systems—Nintendo should give users an easier and more secure way to change NNID passwords. Better yet, the game maker should make it easy to close NNIDs altogether. Last, Nintendo owes it to its customers to say if it knows of any breaches involving its network.
So there you have it. If you’re a Nintendo account holder, the first thing to do is set up 2FA and change the current account password. Out of an abundance of caution, users should also unlink the account from the NNID and change, or at least reset, the NNID password.
In the absence of useful advice from Nintendo, users will have to fend for themselves.