Pokémon is resetting some users’ passwords after hacking attempts

The Pokémon Company said it detected hacking attempts against some of its users and reset those user account passwords.

Last week, a notice was visible on the official Pokémon support website that said, “Following an attempt to hack our account system, Pokémon has proactively locked the accounts of fans who may have been affected.”

As of Tuesday, the alarm is gone. A company spokesperson said there was no breach, just a series of hacking attempts against some users.

“The account system was not compromised. What we experienced and caught was an attempt to login to some accounts. To protect our customers, we’ve reset some of the passwords that caused the message,” said Daniel Benkwitt, a spokesperson for the Pokémon Company.

Pokémon is an extremely popular game franchise with hundreds of millions of players worldwide.

Benkwitt said only 0.1% of the accounts targeted by the hackers were actually compromised, and reiterated that the company already forced affected users to reset their passwords, so there’s nothing it can do for people who haven’t been forced to reset their passwords. their passwords. passwords.

The description of Pokémon account breaches looks like credential stuffing, where malicious hackers use usernames and passwords stolen from other breaches and reuse them on other sites.

A recent example of a similar incident is what happened last year at the genetic testing company 23andMe. In that case, hackers used passwords leaked from other breaches to break into the accounts of about 14,000 accounts. By breaking into these accounts, the hackers were then able to access the sensitive genetic data of millions of 23andMe account holders.

This prompted the company (and several other competitors) to develop mandatory two-factor authentication, a security feature that prevents credential stuffing attacks.

For its part, The Pokémon Company does not allow its users to enable two-factor on their accounts, TechCrunch checked.