The Pokemon Company has announced that it has identified hacking attempts aimed at some of its users. To protect their fans, the company has proactively reset the passwords for those affected accounts.
Last week, visitors to the official support website for Pokemon were met with an alert that stated, “following an attempt to compromise our account system, Pokemon proactively locked the accounts of fans who might have been affected.”
As of today, the alert has been removed. The spokesperson for Pokemon, Daniel Benkwitt, clarified that there was no actual breach, but rather a series of hacking attempts targeted at specific users.
“The account system itself was not compromised. We did, however, detect attempts to log into certain accounts. As a precaution, we have reset the passwords for these accounts, which triggered the alert,” stated Benkwitt.
Pokemon remains an incredibly popular gaming franchise, with millions of players worldwide.
According to Benkwitt, only 0.1% of the targeted accounts were successfully compromised. He also reiterated that the impacted users have already been required to reset their passwords, meaning there is no further action necessary for those who were not impacted.
The description of the Pokemon account breaches appears to be a classic example of credential stuffing. This technique involves using stolen usernames and passwords from previous breaches and attempting to use them on other sites.
A similar scenario occurred last year with the genetic testing company 23andMe. Hackers were able to access around 14,000 accounts by using leaked passwords from other breaches. This allowed them to access sensitive genetic data of millions of other account holders.
In response, 23andMe and some of its competitors rolled out mandatory two-factor authentication, which prevents credential stuffing attacks.
However, at the time of checking, Pokemon does not offer the ability to enable two-factor authentication for its users.