Pierluigi Paganini March 20, 2024

The Pokemon Company resets some users’ passwords in response to hacking attempts against some of its users.

The Pokemon Company announced it had reset the passwords for some accounts after it had detected hacking attempts, Techcrunch first reported. The company was likely the target of credential stuffing attacks. Credential stuffing is an attack in which hackers use automation and lists of compromised usernames and passwords to defeat authentication and authorization mechanisms, with the end goal of account takeover (ATO) and/or data exfiltration.

In other words, bad actors glean lists of breached usernames and passwords and run them against desired logins until they find some that work. Then, they enter those accounts for the purpose of abusing permissions, siphoning out data, or both. 

Last week, the Pokemon’s official support website displayed the following message:

“Following an attempt to compromise our account system, Pokémon proactively locked the accounts of
fans who might have been affected. If you are unable to log in to your Pokémon Trainer Club account,
please reset your password following the instructions here.”

Pokémon, short for “Pocket Monsters,” is a media franchise created by Satoshi Tajiri and Ken Sugimori and managed by The Pokémon Company, a collaboration between Nintendo, Game Freak, and Creatures Inc. It was first introduced in 1996 as a video game for the original Game Boy console, developed by Game Freak and published by Nintendo. The franchise expanded to include video games, trading card games, animated television series, movies, comic books, toys, and merchandise. In Pokémon, players assume the role of Pokémon Trainers who capture and train fictional creatures called Pokémon to battle each other for sport.

Daniel Benkwitt, a Pokemon Company spokesperson, told Techcrunch that they haven’t suffered a security breach. Most of the hacking attempts against some users were detected and blocked, and only 0.1% of the the targeted accounts were compromised.

“The account system was not compromised. What we did experience and catch was an attempt to log in to some accounts. To protect our customers we have reset some passwords which prompted the message,” said Benkwitt.

A good mitigation against credential-stuffing attacks, and generally against account hijacking, is enabling multi-factor authentication.

Unfortunately, the Pokemon Company doesn’t support two-factor authentication on its platform.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Pokemon Company)