Pokemon is resetting some users’ passwords after hacking attempts

The Pokemon Company said it detected hacking attempts against some of its users and reset those user account passwords.

Last week, an alert appeared on Pokémon’s official support site, which said that “following an attempt to compromise our account system, Pokémon has proactively locked the accounts of fans who may have been affected.”

As of Tuesday, the advisory has expired. A company spokesman said there was no hack, just a series of hacking attempts against some users.

“The account system was not compromised. What we tested and observed was an attempt to log in to some accounts. To protect our customers, we have reset some of the passwords that triggered the message,” said Daniel Benquet, a Pokémon Company spokesperson.

Pokemon is a very popular game with hundreds of millions of players around the world.

Banquet said that only 0.1% of the accounts targeted by the hackers had actually been compromised, and reiterated that the company had already forced affected users to reset their passwords, so there was nothing that could be done for people who did not have to reset their passwords. . passwords.

The description of the Pokemon account breaches sounds like credential stuffing, where malicious hackers use usernames and passwords stolen from other breaches and reuse them on other sites.

A recent example of a similar incident is what happened last year to the genetic testing company 23andMe. In this case, hackers used passwords leaked from other breaches to break into the accounts of about 14,000 accounts. By compromising those accounts, the hackers were then able to access sensitive genetic data on millions of other 23andMe account holders.

This prompted the company (and many of its competitors) to roll out mandatory two-factor authentication, a security feature that prevents credential stuffing attacks.

For its part, The Pokemon Company does not allow its users to enable the two-factor in their accounts, as TechCrunch checked.