"We are aware of an issue involving TinyPulse, a third-party service used for internal employee surveys at Nintendo of America," stated Nintendo.
Nintendo of America statement and immediate posture
Nintendo of America told BleepingComputer that its own systems were not compromised and that "no personal customer or financial data has been accessed." The company characterized the exposed information as "limited to internal survey content comprising a small subset of our employees," and said that "most of the information dates back several years." Nintendo also confirmed it is "working with the service provider to address the issue." The firm noted that its U.S. subsidiary handles operations in the United States, Canada, and parts of Latin America.
Claims and demands from Shadowbyt3$
The incident was publicly claimed by Shadowbyt3$, a group that describes itself as an "extortion-as-a-service" threat actor. In an initial message the actor said it had stolen close to 1 GB of data and offered Nintendo 48 hours to engage in negotiations before any leak. Shadowbyt3$ later posted a ransom demand of $2 million, writing, "If you contact us we give you an extra day to think this through. We are demanding a ransom payment of 2 million dollars."
Shadowbyt3$ provided a description of the files it alleges to have exfiltrated: full names, email addresses, analytics and survey data, bank statements, W-9 forms with employee IDs, progress plans, and reports covering the period between 2016 and 2026. The group clarified in a follow-up that the "breach doesn't affect nintendo gaming" and targeted "a small amount of employees that work for nintendo and have used tinypulse." Other posts from the actor warned of additional victims and offered a link to allegedly leaked data including "direct messages and conversations between employees."
BleepingComputer did not download the leaked files and explicitly said it could not confirm the authenticity of the material being offered by Shadowbyt3$.
TinyPulse and WebMD Health Services' role
TinyPulse, the platform named in Nintendo's statement, is an employee engagement and feedback service used for anonymous surveys, engagement analytics, feedback collection, and workplace culture assessments. The TinyPulse platform is owned by WebMD Health Services, which BleepingComputer contacted for further information about the incident; the outlet said it had not received a response by publishing time.
Nintendo described the issue as involving the third-party TinyPulse service rather than its internal systems, and said it is coordinating with the platform provider to manage the situation.
Customer impact and law enforcement guidance
Both Nintendo’s statement and BleepingComputer’s reporting emphasize that customer data and Nintendo gaming systems were not affected: account holders "do not need to take any action," the coverage states. At the same time, the extortionist’s claims include personal employee documents and financial forms, producing a different risk profile for the small subset of employees the group says were affected.
The reporting also notes a commonly stated law enforcement position: authorities "strongly discourage paying the hackers because it incentivizes future attacks" and because a payment offers no guarantee the actor will not privately sell the information or continue to disclose it.
What this means for security teams, policymakers, and affected employees
- Security teams: The episode centers on a third-party platform used for employee surveys, underscoring the potential exposure of internal data through vendor services. Related material in the coverage cites a Picus whitepaper claim that security teams log 54% of successful attacks and alert on just 14%, and that breach-and-attack simulation can test SIEM and EDR rules — framing detection gaps as a material concern for defenders.
- Policymakers and law enforcement: The reporting reiterates the familiar admonition against paying ransoms, noting that law enforcement discourages such payments because they incentivize further attacks and do not guarantee deletion or non-disclosure of stolen data.
- Affected employees: Nintendo said the exposed data is limited and mostly older, but Shadowbyt3$ claims a broader set of personal materials, including bank statements and W-9 forms. BleepingComputer did not verify leaked files, so employees named in the actor’s claims face uncertainty about the authenticity and scope of any exposure.
For now, Nintendo has positioned the incident as a third‑party data exposure affecting internal survey records for a small group of employees while asserting its systems and customer data remain intact. The claims by Shadowbyt3$ — including an asserted 1 GB of files and a $2 million ransom demand — remain unverified by BleepingComputer, and WebMD Health Services had not responded to queries at the time of publication. Whether the files are authentic, how many employees are affected, and what remedial steps the service provider will take are the concrete next items left to resolve.
