In April 2020, Nintendo disclosed that approximately 160,000 Nintendo accounts had been accessed without authorisation using a credential stuffing attack against the Nintendo Network ID (NNID) login system. Nintendo subsequently revised the number upward to approximately 300,000 accounts when additional victims were identified. The attackers used NNID (the legacy login system for Nintendo 3DS and Wii U platforms) as a vector to log into Nintendo Accounts — accessing games libraries, stored payment information, and Nintendo eShop credit. Many affected users reported fraudulent purchases via PayPal or credit cards linked to their accounts, with attackers purchasing digital games and currency. Nintendo notified affected users and disabled NNID sign-in capability for Nintendo Accounts, requiring users to reset passwords. Affected users were reimbursed for any fraudulent purchases. The breach coincided with a massive surge in Nintendo Switch sales during the COVID-19 pandemic — Animal Crossing: New Horizons had just launched in March 2020 and was selling at record pace — making Nintendo accounts particularly valuable for accessing Switch games. The breach highlighted the risks of maintaining legacy login systems with weaker security alongside newer account systems. Nintendo accounts were a high-value target due to stored payment methods and the gaming market value of digital goods.