Nintendo of America: Nintendo confirms data stolen in WebMD subsidiary cyberattack

Nintendo of America: Nintendo confirms data stolen in WebMD subsidiary cyberattack

Nintendo Confirms Data Breach via Third-Party TinyPulse Service

Nintendo of America has acknowledged a data breach involving TinyPulse, a third-party employee survey platform, after the extortion group Shadowbyt3$ claimed to have stolen sensitive internal data. According to Nintendo, its own systems were not compromised, and no customer or financial information was accessed. The exposed data is limited to internal survey content from a small subset of employees, primarily dating back several years.

However, Shadowbyt3$ a self-described "extortion-as-a-service" group active since October 2025 alleges the breach includes 1GB of data, such as employee names, email addresses, bank statements, W-9 forms, and internal reports spanning 2016 to 2026. The group initially demanded a $2 million ransom, threatening to leak the data if Nintendo failed to engage in negotiations within 48 hours. A subsequent post suggested Nintendo did not comply, as Shadowbyt3$ shared a link to alleged employee conversations.

While Nintendo confirmed the incident was isolated to TinyPulse, the platform’s owner, WebMD Health Services, has not responded to inquiries. The breach appears to have no impact on Nintendo’s gaming operations or customer accounts, though the authenticity of the leaked data remains unverified. Shadowbyt3$ has warned of additional victims, emphasizing its tactic of publicizing stolen data from non-paying targets.

Law enforcement discourages ransom payments, citing concerns over fueling further attacks and the lack of guarantees that threat actors will delete stolen data.

Source: https://www.bleepingcomputer.com/news/security/nintendo-confirms-data-stolen-in-webmd-subsidiary-cyberattack/

Nintendo cybersecurity rating report: https://www.rankiteo.com/company/nintendo

"id": "NIN1781814318",
"linkid": "nintendo",
"type": "Breach",
"date": "10/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"
{'affected_entities': [{'industry': 'Gaming',
                        'location': 'United States',
                        'name': 'Nintendo of America',
                        'type': 'Company'},
                       {'industry': 'Employee Survey Platform',
                        'name': 'TinyPulse (WebMD Health Services)',
                        'type': 'Third-Party Service Provider'}],
 'attack_vector': 'Third-Party Service Compromise',
 'customer_advisories': 'No impact on customer accounts',
 'data_breach': {'data_exfiltration': '1GB of data allegedly stolen',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High (personally identifiable and '
                                        'financial information)',
                 'type_of_data_compromised': ['Employee names',
                                              'Email addresses',
                                              'Bank statements',
                                              'W-9 forms',
                                              'Internal reports',
                                              'Internal survey content']},
 'description': 'Nintendo of America confirmed a data breach involving '
                'TinyPulse, a third-party employee survey platform, after the '
                'extortion group Shadowbyt3$ claimed to have stolen sensitive '
                'internal data. The breach was isolated to TinyPulse, and '
                "Nintendo's systems were not compromised. No customer or "
                'financial information was accessed, but internal survey '
                'content from a small subset of employees was exposed.',
 'impact': {'data_compromised': 'Internal survey content, employee names, '
                                'email addresses, bank statements, W-9 forms, '
                                'internal reports',
            'identity_theft_risk': 'Potential risk due to exposed employee '
                                   'data',
            'operational_impact': 'No impact on Nintendo’s gaming operations '
                                  'or customer accounts',
            'systems_affected': 'TinyPulse (third-party platform)'},
 'initial_access_broker': {'entry_point': 'TinyPulse (third-party platform)'},
 'investigation_status': 'Ongoing',
 'motivation': 'Extortion',
 'post_incident_analysis': {'root_causes': 'Third-party service compromise'},
 'ransomware': {'data_exfiltration': 'Yes',
                'ransom_demanded': '$2 million',
                'ransom_paid': 'No (Nintendo did not comply)'},
 'references': [{'source': 'Nintendo of America Statement'},
                {'source': 'Shadowbyt3$ Extortion Group Claims'}],
 'response': {'communication_strategy': 'Public acknowledgment of the breach'},
 'threat_actor': 'Shadowbyt3$',
 'title': 'Nintendo Data Breach via Third-Party TinyPulse Service',
 'type': 'Data Breach'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.