Pokémon resets passwords for some users after hacking attempts

The Pokemon Company said it detected hacking attempts against some of its users and reset the passwords for those user accounts.

Last week, an alert was seen on the official Pokémon support website, stating that “following an attempt to compromise our account system, Pokémon proactively locked the accounts of fans who may have been affected.”

As of Tuesday the alert disappeared. A company spokesperson said there was no breach, just a series of hacking attempts against some users.

“The accounting system was not compromised. What we experienced and detected was an attempt to log into some accounts. To protect our customers, we have reset some passwords that caused the message,” said Daniel Benkwitt, spokesperson for the Pokémon Company.

Pokémon is a very popular game franchise with hundreds of millions of players around the world.

Benkwitt said that only 0.1% of the accounts attacked by the hackers were actually compromised and reiterated that the company has already forced affected users to reset their passwords, so there is nothing to do for people who don't. have been forced to reset their passwords. passwords.

The description of Pokémon account breaches sounds like credential stuffing, where malicious hackers use usernames and passwords stolen from other breaches and reuse them on other sites.

A recent example of a similar incident is what happened last year to the genetic testing company 23andMe. In that case, hackers used passwords leaked from other breaches to access the accounts of about 14,000 accounts. By breaking into those accounts, hackers were able to access the sensitive genetic data of millions of other 23andMe account holders.

That led the company (and several other of its competitors) to implement mandatory two-factor authentication, a security feature that prevents credential stuffing attacks.

For its part, the Pokemon Company does not allow its users to enable two factors in their accounts, when TechCrunch checked.