Nintendo shut down NNID logins back in April after it discovered hackers had compromised some 160,000 accounts using legacy credentials. Now, the company says that figure was more like 300,000. In a Japanese language statement posted today, Nintendo says that in continuing the investigation, it found “approximately 140,000 additional NNIDs that may have been accessed maliciously.” It also clarified that the issue was not the result of a direct Nintendo breach, but rather customers using the same passwords in multiple places. Those compromised on other platforms were likely sold or harvested from the dark web.

By taking advantage of vulnerabilities surrounding legacy accounts, hackers were able access newer accounts, and subsequently the PayPal funds associated with it. While credit card information was not directly accessible, hackers were able to exploit their access to these PayPal accounts to make fraudulent purchases. Details such as nicknames, email addresses and dates of birth were also potentially viewed by third parties.