Nintendo of America has confirmed to BleepingComputer that threat actors stole survey data from the third-party TinyPulse service used internally, but its systems were not compromised.
The company’s statement comes after claims from the Shadowbyt3$ “extortion-as-a-service” threat group that they exfiltrated sensitive data related to Nintendo of America employees.
“We are aware of an issue involving TinyPulse, a third-party service used for internal employee surveys at Nintendo of America,” stated Nintendo.
“Nintendo’s systems have not been compromised, and no personal customer or financial data has been accessed. Nintendo’s systems have not been compromised, and no personal customer or financial data has been accessed.”
“The data involved is limited to internal survey content comprising a small subset of our employees, and most of the information dates back several years,” the company told BleepingComputer.
Nintendo of America is a subsidiary of the Japanese game company, responsible for operations in the United States, Canada, and parts of Latin America.
TinyPulse is an employee engagement and feedback platform used for anonymous employee surveys, engagement analytics, feedback collection, and workplace culture assessments.
The gaming firm said it is “working with the service provider to address the issue.”
BleepingComputer contacted WebMD Health Services, the owner of the TinyPulse platform, for more information about the incident and its impact, but we did not receive a response by publishing time.
Shadowbyt3$ demands $2 million ransom
While Nintendo states that the incident only exposed survey information, Shadowbyt3$ claims that the stolen information includes employee personal details.
In an initial message, the threat actor said that they stole close to 1GB of data from Nintendo and gave the company 48 hours to engage in negotiations before leaking the information.
According to the threat actor, the stolen data contains full names, email addresses, analytics and survey data, bank statements, and W-9 forms with employee IDs, progress plans, and reports between 2016 and 2026.
“If you contact us we give you an extra day to think this through. We are demanding a ransom payment of 2 million dollars,” reads the Shadowbyt3$ post.
source: Kela
In a second message, the threat actor clarified that the “breach doesn’t affect nintendo gaming” but “a small amount of employees that work for nintendo and have used tinypulse.”
Another post from Shadowbyt3$ warned that there will be more victims and provided a link to leaked data allegedly including direct messages and conversations between employees, suggesting that Nintendo did not agree to pay a ransom.
BleepingComputer did not download the leaked data and could not confirm its authenticity. Even if the information is valid, Nintendo customer information remained unaffected by this breach, and account holders do not need to take any action.
ShadowByt3$ is a relatively new threat actor describing itself as an “extortion as a service group” operating since October 2025. The gang is leaking data stolen from victim companies that do not pay a ransom and says that in the case of a settlement, all data “will be Deleted Permanently and you will not hear from us again.”
However, law enforcement strongly discourages paying the hackers because it incentivizes future attacks. Furthermore, there is no guarantee that the threat actor will not privately sell the information.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
