In April 2020, Nintendo disclosed that approximately 160,000 Nintendo Network IDs (NNIDs) — a legacy login system from the Nintendo 3DS and Wii U era — had been compromised via credential stuffing between March and April 2020. Attackers used previously leaked credentials to log in via the NNID login portal, and because Nintendo had enabled NNID accounts to be linked to Nintendo Accounts (the current Switch-era system), attackers could access the linked Nintendo Account and view personal information and in some cases make fraudulent purchases using saved PayPal or credit card credentials. Exposed data included nicknames, dates of birth, countries of residence, and email addresses. Nintendo disabled the ability to use NNIDs to log into Nintendo Accounts as an immediate mitigation and reset passwords for all affected accounts. Nintendo subsequently updated its total estimate upward — later reports indicated up to 300,000 accounts may have been affected. Nintendo advised users to enable two-factor authentication and to change passwords. The incident was amplified by the surge in Nintendo Switch sales and online gaming activity during COVID-19 lockdowns.