Employee Data Compromised in Third-Party Breach
Nintendo of America has confirmed a data security incident that involved a third-party service, acknowledging that sensitive employee information was accessed. The breach, however, has been downplayed by the company, which stressed that no customer or financial data was affected.
Hacking Group Claims Responsibility and Demands Ransom
A hacking collective known as Shadowbyt3$, which operates with an “extortion-as-a-service” model, has claimed responsibility for the intrusion. The group alleges to have obtained approximately 1GB of internal data belonging to Nintendo of America employees. They reportedly demanded a $2 million ransom from the company, setting a 48-hour deadline before threatening to release the stolen files.
TinyPulse Platform Identified as Vulnerable Point
The compromised data is understood to have originated from TinyPulse, a platform used by companies for employee engagement and feedback. Shadowbyt3$ claims the stolen information includes employee names, email addresses, analytics and survey data, bank statements, and W-9 forms. The group also stated that the breach did not impact the company’s gaming operations but was limited to employees who utilized the TinyPulse platform. The data reportedly spans from 2016 to 2026.
TinyPulse is recognized for its method of delivering frequent, short “pulse surveys” to gather candid employee opinions about their work environment.
Nintendo Confirms Limited Scope of Breach
In a statement, Nintendo of America acknowledged the incident involving TinyPulse. The company clarified that its own internal systems were not compromised and that no personal customer or financial information was accessed. A company representative stated, “The data involved is limited to internal survey content comprising a small subset of our employees, and most of the information dates back several years.” The company is reportedly collaborating with the service provider to resolve the issue.
Alleged Employee Communications Leaked
Following the breach confirmation, Shadowbyt3$ reportedly released a dataset purportedly containing direct messages and conversations between employees. The authenticity of this leaked information has not yet been independently verified. Analysts suggest this action could be a tactic to increase pressure on Nintendo, possibly indicating that negotiations had failed or were being used as leverage.
