Nintendo of America has officially verified to BleepingComputer that hackers extracted survey information from the third-party service TinyPulse, which was utilized for internal purposes. Fortunately, Nintendo’s internal systems remained uncompromised during this cyber incident.
Following assertions made by the Shadowbyt3$ extortion group, Nintendo of America acknowledged that sensitive data concerning its employees had been accessed by threat actors.
“We acknowledge an incident involving TinyPulse, a third-party service utilized for conducting internal employee surveys within Nintendo of America,” stated Nintendo.
“Nintendo’s systems have remained secure, and no personal customer or financial information was compromised. The accessed data was limited to internal survey content of a small group of employees, with most of the data dating back several years,” as per Nintendo’s statement to BleepingComputer.
Nintendo of America operates as a subsidiary of the renowned Japanese gaming company, overseeing operations in the United States, Canada, and select regions of Latin America.
TinyPulse functions as an employee engagement and feedback platform, offering services such as anonymous employee surveys, engagement analytics, feedback aggregation, and workplace culture evaluations.
The gaming giant affirmed that they are collaborating with the service provider to effectively address the situation.
BleepingComputer reached out to WebMD Health Services, the parent company of TinyPulse, for additional insights regarding the incident and its repercussions; however, no response was received at the time of publication.
Despite Nintendo’s claims that only survey data was exposed, Shadowbyt3$ alleges that the stolen information encompasses personal details of employees.
In an initial communication, the threat group disclosed that they had acquired nearly 1GB of data from Nintendo and issued a 48-hour ultimatum for negotiations before disclosing the data.
According to the threat actor, the compromised data includes full names, email addresses, analytical data, survey records, banking statements, W-9 forms containing employee IDs, progress reports, and plans spanning from 2016 to 2026.
“Contact us for an additional day to deliberate. We demand a ransom of $2 million,” stated the Shadowbyt3$ post.
In a subsequent message, the threat actor clarified that the breach does not impact Nintendo’s gaming infrastructure but rather a subset of employees using TinyPulse.
Another message from Shadowbyt3$ cautioned of potential additional victims and included a link to leaked data purportedly containing private messages and conversations among employees, implying Nintendo’s reluctance to comply with the ransom demand.
BleepingComputer refrained from downloading the leaked data to verify its authenticity. Even if valid, there is no impact on Nintendo’s customer data, and account holders need not take any immediate action.
ShadowByt3$ represents a relatively new threat entity branding itself as an “extortion as a service” group since October 2025. The group leaks data from non-compliant companies and asserts that upon settlement, all data will be permanently deleted, with no further communication.
However, law enforcement strongly advises against paying ransom to hackers as it encourages future attacks and offers no assurance that the stolen data won’t be sold privately.
Security teams detect only 14% of successful attacks, leaving the majority undetected in your system. The Picus whitepaper demonstrates how breach and attack simulations can enhance your SIEM and EDR rules, preventing threats from evading detection.
Get the whitepaper
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
