The Pokémon Company said it detected hacking attempts against some of its users and reset those user account passwords.
Last week, an alert was visible on Pokémon’s official support website that said, “Following an attempt to compromise our account system, Pokémon proactively locked the accounts of fans who might have been affected.”
As of Tuesday, the alert is gone. A spokesperson for the company said there was no breach, just a series of hacking attempts against some users.
“The account system was not compromised. What we did experience and catch was an attempt to log in to some accounts. To protect our customers we have reset some passwords which prompted the message,” said Daniel Benkwitt, a Pokémon Company spokesperson.
Pokémon is a wildly popular game franchise with hundreds of millions of players around the world.
Benkwitt said that only 0.1% of the accounts targeted by the hackers were actually compromised, and reiterated that the company already forced the impacted users to reset their passwords, so there isn’t anything to do for people who have not been forced to reset their passwords.
The description of the Pokémon account breaches sounds like credential stuffing, where malicious hackers use usernames and passwords stolen from other breaches and reuse them on other sites.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
A recent example of a similar incident is what happened last year to the genetic testing company 23andMe. In that case, hackers used leaked passwords from other breaches to break into the accounts of around 14,000 accounts. By breaking into those accounts, the hackers were then able to access the sensitive genetic data on millions of 23andMe account holders.
That prompted the company (and several other of its competitors) to roll out mandatory two-factor authentication, a security feature that prevents credential stuffing attacks.
For its part, the Pokémon Company does not allow its users to enable two-factor on their accounts, when TechCrunch checked.
