The old Nintendo Network may be to blame for this one.
There is an imminent security threat for Nintendo accounts, and all holders are advised to turn on two-factor authentication to counter it.
Multiple reports of Nintendo accounts having multiple hundreds of dollars in downloadable content purchases - usually Fortnite V-Bucks - have emerged in recent days, and a writer for technology website Ars Technica reported it yesterday. Nintendo responded to Ars today, stating they are aware of the reports and recommending 2 factor authentication, and providing a process for recovering compromised accounts. Although not confirmed - Nintendo is not commenting on the root cause - it is suspected that people were able to gain access through an exploit targeting the old Nintendo Network ID system.
The 2 factor authentication is done by way of a smartphone application, such as Google Authenticator, though applications such as Microsoft's authenticator or Twilio's Authy can also work. There are also guides for using Google or other authenticators on PCs. A smartphone application is recommended for 2-factor in order to prevent potential hijacking of a text messages.