Nintendo employee survey data stolen via third-party TinyPulse platform

Nintendo of America confirmed that threat actors stole internal employee survey data from TinyPulse, a third-party HR engagement platform it used, after the SHADOWBYT3$ group claimed to have exfiltrated about 859 MB of data and demanded a US$2 million ransom — while stressing that Nintendo's own systems and customer data were not affected.

On 18 June 2026, Nintendo of America confirmed that attackers had stolen internal employee survey data from TinyPulse, a third-party HR engagement and feedback platform (operated by WebMD Health Services) that it used internally. The disclosure followed claims by the extortion-focused group SHADOWBYT3$, which said it had exfiltrated roughly 859 MB of data and demanded a US$2 million ransom.

What happened

SHADOWBYT3$ surfaced its claim around 13 June 2026, asserting that the stolen TinyPulse data included employee names, email addresses, analytics and survey responses, and related internal reports. The group threatened to publish the material unless Nintendo paid. The attackers themselves noted that the incident did not touch Nintendo's gaming business, describing the impact as limited to "a small amount of employees that work for Nintendo and have used TinyPulse."

Nintendo of America confirmed the theft of internal survey data from the third-party service but stressed that its own systems were not compromised and that no personal customer or financial data was accessed. The affected information was limited to internal survey content involving a small subset of employees.

Why it matters

The incident is a reminder that vendor risk is first-party risk: even when a company's core systems hold firm, sensitive employee data entrusted to an outside HR platform can become an extortion lever. For a brand as closely watched as Nintendo, an attacker-driven leak claim alone generates significant attention regardless of the relatively narrow scope, and the episode underscores why organisations must inventory the third parties holding their workforce data and hold them to the same security and incident-response standards as internal systems.

Timeline

June 13, 2026

The SHADOWBYT3$ group claims a breach of Nintendo via the third-party HR engagement platform TinyPulse, alleging theft of roughly 859 MB of data and demanding a US$2 million ransom.

June 18, 2026

Nintendo of America confirms to BleepingComputer that threat actors stole internal survey data from the third-party TinyPulse service, says its own systems were not compromised, and states that no customer or financial data was accessed.

Sources

bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/nintendo-confirms-data-stolen-in-webmd-subsidiary-cyberattack/

scworld.comhttps://www.scworld.com/brief/nintendo-confirms-employee-survey-data-stolen-from-third-party-service

cyberpress.orghttps://cyberpress.org/shadowbyt3-claims-breach-nintendo/

nintendolife.comhttps://www.nintendolife.com/news/2026/06/hacker-group-steals-nintendo-employee-data-posts-usd2-million-ransom

Related incidents

Data breachOngoingJune 17, 2026

Eastman Kodak confirms data breach claimed by ShinyHunters

Imaging and materials company Eastman Kodak confirmed that an unauthorised third party temporarily accessed a limited amount of company data, after the ShinyHunters extortion gang listed Kodak on its dark-web leak site and claimed to hold more than 2.2 million records of customer and internal corporate data.

Victim: Eastman Kodak
Records: 2.2M

Data breachRansom paidMay 1, 2026

Instructure Canvas LMS ShinyHunters breach (2026)

ShinyHunters exploited Canvas's Free-For-Teacher account programme to exfiltrate 3.65 TB of data spanning approximately 275 million users across nearly 9,000 schools — names, email addresses, student IDs, and some private messages between students and teachers. Instructure reportedly paid the ransom and the data was destroyed.

Victim: Instructure (Canvas LMS)
Loss: $10.0M
Records: 275.0M

Data breachResolvedAugust 16, 2024

National Public Data SSN breach

A breach of data broker National Public Data (Jerico Pictures) exposed a database of roughly 2.9 billion records containing names, Social Security numbers, dates of birth, and addresses scraped from public and non-public sources, triggering a wave of lawsuits and the company's bankruptcy.

Victim: National Public Data (Jerico Pictures, Inc.)
Records: 2.90B

Data breachContainedAugust 8, 2022

LastPass two-stage breach and customer vault theft (2022)

An August 2022 source-code theft from one LastPass developer's laptop chained into a November 2022 compromise of a DevOps engineer's personal computer — yielding access to backups of customer password vaults. Federal investigators later linked LastPass-stolen vaults to a $150 million crypto heist.

Victim: LastPass