Nintendo Confirms TinyPulse Data Breach as Shadowbyt3$ Demands $2M Ransom

Nintendo of America has confirmed that threat actors stole internal survey data from TinyPulse, a third-party employee engagement platform owned by WebMD Health Services, but stressed that its own systems remain uncompromised. In a statement to BleepingComputer, the company clarified that "the data involved is limited to internal survey content comprising a small subset of our employees, and most of the information dates back several years." The breach was disclosed after the Shadowbyt3$ extortion group claimed responsibility for the incident, which targeted the WebMD-owned survey service rather than Nintendo's gaming infrastructure directly.

Shadowbyt3$, operating as an "extortion-as-a-service" collective, initially claimed to have exfiltrated close to 1GB of data from Nintendo and issued a 48-hour ultimatum before threatening to leak the information. The threat actors are demanding a $2 million ransom payment, with additional negotiation windows offered upon contact. In a follow-up post, the group clarified that "the breach doesn't affect nintendo gaming" but rather "a small amount of employees that work for nintendo and have used tinypulse." The group subsequently published a link to alleged leaked data including direct messages and employee conversations, suggesting Nintendo declined to engage with the ransom demand.

According to Shadowbyt3$, the stolen dataset contains full names, email addresses, analytics and survey responses, bank statements, and W-9 tax forms including employee IDs, progress plans, and internal reports spanning 2016 to 2026. Nintendo characterized the scope more narrowly, stating no personal customer or financial data was accessed, and confirmed it is "working with the service provider to address the issue." BleepingComputer did not download the leaked files and could not independently verify their authenticity. WebMD Health Services, which acquired TinyPulse, did not respond to press inquiries by the time of publication.

The incident highlights the persistent risk of third-party SaaS dependencies in enterprise environments, where a single compromised vendor can expose sensitive employee data across multiple client organizations. Security teams should treat any data attributed to this breach with caution, and affected Nintendo employees are advised to monitor for credential exposure using an email breach checker and rotate any passwords reused between TinyPulse-linked accounts and other services. A password checker can also help identify whether any compromised credentials are weak, duplicated, or previously seen in known leaks, while broader exposure assessments can be conducted through a full privacy checkup.