Hacks Are Always Worse Than Reported: Nintendo's Breached Accounts Magically Double

from the whoopsie dept

One of these days, we writers at Techdirt will put our collective and enormous heads together, and come up with an actual proposed mathematical formula that should be applied whenever a company first announces a security or account breach, so that the public can calculate what that breach count will eventually end up being. The reason the world needs such a formula is because you can pretty much set your watch when a company announces such a breach that in the following weeks or months it will grow significantly. This happened with Equifax, with TJX, and even with our own vaunted federal government. But if we ever really did want to try to put some kind of formula together for measuring the underplaying of a breach on initial response, the historical breach that would probably brake such an algorithm would have to be Yahoo's email breach, which, in 2013, was the breach of a few hundred thousand email accounts, but in 2017 magically became all of the accounts. As in, literally all of them.

This severity progression is so routine that it should have a name for easy reference. I propose Geigner's Effect. I heard somewhere that if you write for this site long enough you get an effect named after you.

The most recent example of, ahem, Geigner's Effect (actually first proposed on this site by Mike Masnick, but he already has an Effect) is Nintendo, which near the start of the year announced that roughly 160k of its Nintendo Accounts had potentially been breached. In an update this week, Nintendo revised that number to nearly double the original amount.

Today, Nintendo announced another 140,000 or so more accounts may have been accessed. That means a total of around 300,000 accounts may have been breached. Nintendo pointed out in an update today that that’s less than one percent of all Nintendo Network ID users.

While that's true, it's also 200% of the amount that Nintendo originally said had been breached. And who knows what that number is going to be in another couple of weeks or months? It could stay the same, or it could be more Yahoo-esque and balloon significantly. Remember again, Yahoo revised its breach numbers on a nearly annual basis until it finally settled on "all the accounts." The public has no reason to trust companies on these numbers and every reason to dismiss the casual trotting out of seemingly comforting math by some PR goon.

So, we reiterate: when you see a report of a breach, know that it's always more severe than first reported. Until we have our formula ready for prime time, that's the best you can do.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: breach, data breach, geigner's effect
Companies: nintendo


Reader Comments

Subscribe: RSS

View by: Thread


  • identicon
    Anonymous Coward, 10 Jun 2020 @ 9:02pm

    "But if we ever really did want to try to put some kind of formula together for measuring the underplaying of a breach on initial response, the historical breach that would probably brake such an algorithm would have to be Yahoo's email breach, which, in 2013, was the breach of a few hundred thousand email accounts, but in 2017 magically became all of the accounts. As in, literally all of them."

    Please, I'm sure it's possible to reach more than 100%!

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Jun 2020 @ 10:29am

      Re:

      This is entirely true and i was thinking the same thing. Breaches of some entities may reveal not just all the accounts people have with them, but account information shared between "partner" entities as well.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Jun 2020 @ 10:17pm

    brake such an algorithm

    break such an algorithm

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Jun 2020 @ 10:21pm

    formula:

    presume "all". why bother with the middle man?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Jun 2020 @ 10:38pm

    when you see a report of a breach (of a service you're signed up with), know that your data has been released.

    FTFY

    But any more, does it really matter unless it's a medical or credit service? All of virtually everyone's data has already been breached multiple times. That horse has left the barn.

    100% of Nintendo's accounts could have been breached and the net effect, because Nintendo doesn't have much in the way of sensitive information, will be zero. Apart from some class action suit that makes a few lawyers rich and does nothing for the victims, that is.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Jun 2020 @ 10:36am

      Re:

      I don't think all the criminals have everyone's data. More salient is the fact that everyone should re-secure their accounts if they are still operable, and report them if they have been hijacked or used by another party.

      reply to this | link to this | view in chronology ]

  • icon
    Aaron Walkhouse (profile), 10 Jun 2020 @ 10:49pm

    Geigner's Effect?

    <Smack!>

    Silly boy! You don't get to define an effect and then slap your own name on it!
    If an effect comes apparent and we remember you, that's when we coin a mnemomic.
    Then, and only then, "The Geigner Effect" comes into use, and you won't own it.

    </Smack!>

    [ Besides, we're still waiting to see if you get dragged away by the Secret Police,
    because that ‌ effect would be much more precisely measurable as well as memorable! ; ]

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Jun 2020 @ 11:56pm

      Re: Geigner's Effect?

      I think "Yahoo Effect" is actually more apt. If it's to be named after the person who identified it then "Geigner's Law" would be better than "Geigner Effect". Or just assign it a new Internet Rule number, e.g. Rule 1572: A hacked database will always be hacked completely regardless of what the database owner says happened.

      reply to this | link to this | view in chronology ]

    • icon
      Scary Devil Monastery (profile), 10 Jun 2020 @ 11:58pm

      Re: Geigner's Effect?

      Well, ok. I'll nominate "The security breach is always far worse than reported" as Geigner's corollary to murphy's law.

      "Besides, we're still waiting to see if you get dragged away by the Secret Police..."

      Eh, no, that's Hoover's law. Or possibly, to keep up with modern times, Cheney's. Or was that one "There's no crime waterboarding can't produce confessions to"?

      reply to this | link to this | view in chronology ]

  • icon
    PaulT (profile), 11 Jun 2020 @ 12:07am

    I don't know why anyone would be surprised by this. Most corporations wouldn't report a breach at all if they weren't facing liability by not doing so. Since they do, the impetus is then to downplay the incident to avoid losing users, so they'll give a low ball estimate before the incident is investigated. They will then release the actual numbers after an investigation is completed, possibly delaying it as much as possible so that their users have forgotten about the breach by the time the full extent is known.

    The only defense you have as a user is to assume that you have been compromised and take all actions necessary as if you have been affected. Even if you haven't, that's the best time to ensure you have all protections in place. If you're waiting for a press release from an actor that's incentivised to downplay what's happened, you're asking for trouble.

    reply to this | link to this | view in chronology ]

    • This comment has been flagged by the community. Click here to show it
      identicon
      Anonymous Coward, 11 Jun 2020 @ 1:56am

      Trouble at Capital Hill Free Zone!

      Trouble!

      The real energy crisis is the crisis of imperialism. It is seen in a fight
      over raw materials and resources, ft reflects the crisis in empire: declining
      Western control over the economies of the Third World, increased
      competition between capitalist countries, and growing stagnation arising
      from contradictions within monopoly capitalism itself. The system is in
      TROUBLE!.

      Big Trouble!

      https://www.reddit.com/r/MapPorn/comments/gzrxba/the_capital_hill_free_zone_currently_in_pl ace_in/

      NOW WE ARE IN CHARGE!

      (Will Grab deliver in this area? I'm hungry)

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 11 Jun 2020 @ 10:41am

        Re: Trouble at Capital Hill Free Zone!

        Oh, i see, you are just posting randomly.

        Feels bad. Can't take spam seriously. (Also, you are a little dramatically shouty.) Too bad, valid issues.

        reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 11 Jun 2020 @ 1:44am

    Free Capital Hill Autonomous Zone Statement about Capitalism

    Few people really believe anymore in
    the great civilizing leadership role of the US. Few still think that capitalism is
    the best of all possible ways to meet the economic needs of the world's
    peoples, or that Black and Third World people are sub-human labor material
    destined to support the more worthwhile activities of white supermen. Few
    really believe that men will go on indefinitely monopolizing power in a
    supremacist anti-women society. Stated simply, our strategy is to base
    ourselves on the trends of change, to revolutionize and push them on, and to
    intervene in everything.

    https://www.capitolhillseattle.com/2020/06/welcome-to-free-capitol-hill-capitol-hill-autonomous-zon e-forms-around-emptied-east-precinct/

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Jun 2020 @ 3:24am

      Re: Free Capital Hill Autonomous Zone Statement about Capitalism

      Not from Seattle and I support the BLM movement, but i have a Bachelor's degree in history and political science and I'm a gambling sorta guy. Anybody wanna take bets on how long this autonomous zone will last? Definitely shorter than Free Derry in Ireland, but how short?

      Do these people have enough resources to sustain themselves? If not, do they have a supply line? Is there established leadership, or is it more like a commune? Do they have an ultimate goal or is this closer to "Occupy Wall street?" First aid is good, but do they have access to medicine and healthcare? Are they actually fighting the police, or are they intimidating them with their numbers? Are there any suspect groups you're gaining support from? (i.e. Nazis, ISIS, etc.)

      And on the police side: Do you have support from the surrounding community? Are you planning a long siege, or a quick, hard push? Do the protesters have demands and are you able to meet those demands? Will the protesters actually leave after those demands are met? Are you in negotiations with the leadership, if there is any?

      My initial guess, at BEST the protesters have one week for the cracks to show, 2 weeks they will have lost most of the area aside from one building. But that's if they don't have their shit together. Any other guesses?

      reply to this | link to this | view in chronology ]

      • icon
        Scary Devil Monastery (profile), 12 Jun 2020 @ 3:28am

        Re: Re: Free Capital Hill Autonomous Zone Statement about Capita

        "Are there any suspect groups you're gaining support from? (i.e. Nazis, ISIS, etc.)"

        ...or, lamentably it has to be asked if there's a chance the poster is just another Identity Evropa supremacist putting on a blackface act and putting up radical calls for insurgency in the name of Black Lives Matter?

        After the recent spate of gaslighting the neo-nazi shitheaps have pulled there's an extra need to sanity-check anything which sounds inflammatory, lest it turn out to be Baghdad Bob just having been replaced by a slightly more skilled supremacy agitator.

        reply to this | link to this | view in chronology ]

  • icon
    bratwurzt (profile), 11 Jun 2020 @ 3:23am

    you don't go around making up your own nickname

    ...therefore you don't get to propose a law named after you. Pretty sure it's Streissand effect, not Masnick effect :D

    reply to this | link to this | view in chronology ]

  • icon
    Upstream (profile), 11 Jun 2020 @ 5:16am

    Try an Internet search on Masnick effect and see what comes up first :)

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Jun 2020 @ 6:26am

    The only only way to be sure following a hack is for everyone to assume their account was among those compromised and act accordingly. As such, the safest assumption should alwas be "all the accounts."

    Excuses like "less than one percent" are just useless fluff meant to make people feel good rather than helping re-secure their accounts.

    reply to this | link to this | view in chronology ]

  • icon
    bhull242 (profile), 11 Jun 2020 @ 7:15am

    Eponymous laws

    I propose Geigner's Effect. I heard somewhere that if you write for this site long enough you get an effect named after you.
    The most recent example of, ahem, Geigner's Effect (actually first proposed on this site by Mike Masnick, but he already has an Effect)

    I’m sorry, but what’s the Masnick Effect? Or are you talking about the Streisand Effect? If so, then it shouldn’t be Geigner’s Effect but something more like the Yahoo Effect or something.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Jun 2020 @ 10:53am

    such a shame it's Nintendo customers who are effected. if it were only Nintendo, given the way it treats it's customers and in particular, it's most ardent fans, i'd say 'fucking good job, hope it gets annihilated'!!

    reply to this | link to this | view in chronology ]

  • icon
    Coyne Tibbets (profile), 11 Jun 2020 @ 11:32pm

    Damage control

    There's already a name for what these companies are doing: damage control.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads
.

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.