Nintendo of America Confirms Third-Party Breach via TinyPulse, Exposing Employee Data
A hacking group known as Shadowbyt3$ claimed responsibility for breaching Nintendo of America, alleging the theft of nearly 1GB of employee data from TinyPulse, a third-party survey platform. The group demanded a $2 million ransom and threatened to leak the files within 48 hours if negotiations failed.
The stolen data reportedly included names, email addresses, bank statements, W-9 forms, employee IDs, progress plans, and survey analytics spanning 2016 to 2026. Shadowbyt3$ later clarified that the breach targeted non-gaming employees who used TinyPulse, an employee engagement tool known for its frequent workplace feedback surveys.
Nintendo of America confirmed the incident in a statement to BleepingComputer, emphasizing that no customer or financial data was compromised and that its own systems remained secure. The company acknowledged that the breach involved "a small subset of employees" and that "most of the data dates back several years." Nintendo is now working with TinyPulse to address the issue.
Following the initial claim, Shadowbyt3$ released a dataset allegedly containing employee direct messages, though the authenticity of the leaked content remains unverified. The move suggests either failed negotiations or an attempt to pressure Nintendo further. No cybersecurity analysts have confirmed the validity of the exposed information.
Nintendo cybersecurity rating report: https://www.rankiteo.com/company/nintendo-us
"id": "NIN1781958454",
"linkid": "nintendo-us",
"type": "Breach",
"date": "1/2016",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"
{'affected_entities': [{'industry': 'Gaming',
'location': 'United States',
'name': 'Nintendo of America',
'type': 'Corporation'},
{'industry': 'Employee Engagement/Survey Platform',
'name': 'TinyPulse',
'type': 'Third-Party Service Provider'}],
'attack_vector': 'Third-Party Compromise',
'customer_advisories': 'Nintendo confirmed no customer or financial data was '
'compromised',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (PII and financial documents)',
'type_of_data_compromised': ['Names',
'Email addresses',
'Bank statements',
'W-9 forms',
'Employee IDs',
'Progress plans',
'Survey analytics',
'Employee direct messages']},
'description': 'A hacking group known as Shadowbyt3$ breached Nintendo of '
'America by exploiting TinyPulse, a third-party survey '
'platform, and stole nearly 1GB of employee data. The group '
'demanded a $2 million ransom and threatened to leak the data '
'within 48 hours if negotiations failed. The stolen data '
'included names, email addresses, bank statements, W-9 forms, '
'employee IDs, progress plans, and survey analytics.',
'impact': {'brand_reputation_impact': 'Potential reputational damage',
'data_compromised': '1GB of employee data',
'identity_theft_risk': 'High (employee PII exposed)',
'payment_information_risk': 'High (bank statements exposed)',
'systems_affected': 'TinyPulse (third-party platform)'},
'initial_access_broker': {'entry_point': 'TinyPulse (third-party platform)',
'high_value_targets': 'Employee data'},
'investigation_status': 'Ongoing',
'motivation': 'Financial Gain',
'ransomware': {'data_exfiltration': 'Yes', 'ransom_demanded': '$2,000,000'},
'references': [{'source': 'BleepingComputer'}],
'response': {'communication_strategy': 'Public statement to BleepingComputer',
'third_party_assistance': 'Working with TinyPulse'},
'threat_actor': 'Shadowbyt3$',
'title': 'Nintendo of America Third-Party Breach via TinyPulse',
'type': 'Data Breach'}