The spike in unauthorised account activity reported by Nintendo and users a few ago wasn't exactly stopped in a timely fashion. The company acknowledges that around 160.000 Nintendo Accounts were attacked but not all of them compromised. Nintendo also finds "no evidence pointing towards a breach of Nintendo's databases, servers or services".
Nintendo Japan warns that the personal data compromised in case of a successful hacking attempt is: alias, birth of date, region, country and personal email. Nintendo also guarantees that linked credit cards remain hidden but warns about accounts sharing the same passwords between (Nintendo Network ID) NNID, Nintendo Store Nintendo eShop and/or PayPal.
As a first action, Nintendo is banning NNID as a login tool to any Nintendo Account and will ask users to reset their passwords. "In addition, we also continue to strongly encourage users to enable two-step verification for their Nintendo Account", claims the message and ask for not to set the old pass again.