Nintendo of America Confirms Data Breach via Third-Party Survey Provider TINYpulse
Nintendo of America has acknowledged a data security incident involving TINYpulse, a third-party anonymous employee survey service owned by WebMD Health Services. The breach, attributed to the ShadowByt3$ threat group, exposed internal survey data linked to a small subset of Nintendo employees, with most of the compromised information dating back several years.
According to Nintendo, its own systems remain uncompromised, and no customer or financial data was accessed. The company is collaborating with TINYpulse to address the issue.
ShadowByt3$ claimed responsibility for the attack, alleging the theft of nearly 1GB of data, including employee personal details such as names, email addresses, bank statements, W-9 forms, progress reports, and survey analytics. The group initially demanded a $2 million ransom, giving Nintendo 48 hours to negotiate with an additional day offered if contacted. The threat actors later posted alleged leaked data, including employee conversations, suggesting Nintendo did not engage in negotiations.
Active since October 2023, ShadowByt3$ operates as an extortion-as-a-service group, leaking stolen data from non-paying victims. While it remains unclear whether ransomware was used, the group’s tactics mirror those of traditional ransomware operations, though payment does not guarantee data deletion or future security. The incident highlights risks associated with third-party service providers in corporate data security.
WebMD Health Services cybersecurity rating report: https://www.rankiteo.com/company/webmd-health-services
Nintendo cybersecurity rating report: https://www.rankiteo.com/company/nintendo-us
"id": "WEBNIN1781850386",
"linkid": "webmd-health-services, nintendo-us",
"type": "Breach",
"date": "10/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"
{'affected_entities': [{'customers_affected': 'Small subset of employees',
'industry': 'Gaming/Entertainment',
'location': 'United States',
'name': 'Nintendo of America',
'type': 'Corporation'},
{'industry': 'Employee Survey/HR Services',
'name': 'TINYpulse (WebMD Health Services)',
'type': 'Third-Party Service Provider'}],
'attack_vector': 'Third-Party Service Provider (TINYpulse)',
'data_breach': {'data_exfiltration': 'Nearly 1GB of data allegedly stolen',
'file_types_exposed': ['Bank statements',
'W-9 forms',
'Progress reports',
'Survey analytics',
'Employee conversations'],
'personally_identifiable_information': 'Names, email '
'addresses, bank '
'statements, W-9 forms',
'sensitivity_of_data': 'High (PII and financial data)',
'type_of_data_compromised': ['Employee personal details',
'Financial documents (bank '
'statements, W-9 forms)',
'Survey analytics',
'Employee conversations']},
'description': 'Nintendo of America has acknowledged a data security incident '
'involving TINYpulse, a third-party anonymous employee survey '
'service owned by WebMD Health Services. The breach, '
'attributed to the ShadowByt3$ threat group, exposed internal '
'survey data linked to a small subset of Nintendo employees, '
'with most of the compromised information dating back several '
'years. ShadowByt3$ claimed responsibility for the attack, '
'alleging the theft of nearly 1GB of data, including employee '
'personal details such as names, email addresses, bank '
'statements, W-9 forms, progress reports, and survey '
'analytics. The group initially demanded a $2 million ransom '
'and later posted alleged leaked data, including employee '
'conversations.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'employee data exposure',
'data_compromised': 'Employee personal details (names, email '
'addresses, bank statements, W-9 forms, '
'progress reports, survey analytics, employee '
'conversations)',
'identity_theft_risk': 'High (employee personal and financial data '
'exposed)',
'payment_information_risk': 'High (bank statements exposed)',
'systems_affected': 'TINYpulse (third-party survey provider)'},
'initial_access_broker': {'entry_point': 'TINYpulse (third-party service '
'provider)'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Highlights risks associated with third-party service '
'providers in corporate data security',
'motivation': 'Extortion',
'post_incident_analysis': {'root_causes': 'Third-party service provider '
'(TINYpulse) compromise'},
'ransomware': {'data_exfiltration': 'Yes', 'ransom_demanded': '$2 million'},
'references': [{'source': 'Nintendo of America Statement'},
{'source': 'ShadowByt3$ Claims'}],
'response': {'communication_strategy': 'Public acknowledgment of the breach',
'third_party_assistance': 'Collaboration with TINYpulse to '
'address the issue'},
'threat_actor': 'ShadowByt3$',
'title': 'Nintendo of America Data Breach via Third-Party Survey Provider '
'TINYpulse',
'type': 'Data Breach'}