Nintendo says employee survey data exposed in third-party breach

Nintendo of America has confirmed that employee-related information was exposed in a cyberattack involving a third-party service provider. However, the company said the incident did not affect its own systems or customer data.

The confirmation follows claims by a hacking group known as Shadowbyt3$, which alleged that it had breached Nintendo of America and stolen nearly 1GB of internal information. The group reportedly demanded a ransom of US$2 million and gave the company 48 hours to begin negotiations before threatening to publish the data.

Nintendo of America, which oversees operations across the United States, Canada and parts of Latin America, sought to reassure stakeholders that the incident was limited in scope and did not involve its gaming infrastructure or customer records.

Attack linked to employee feedback platform

According to claims made by Shadowbyt3$, the stolen information included employee names, email addresses, survey and analytics data, bank statements, W-9 forms, employee identification details, progress reports and workplace-related documents spanning from 2016 to 2026.

The group later clarified that the alleged breach did not target Nintendo’s gaming division directly. Instead, it centred on information connected to TinyPulse, a third-party employee engagement platform used by organisations to gather workplace feedback from staff.

TinyPulse is designed to help companies measure employee satisfaction through regular surveys and feedback tools. The platform enables workers to share opinions about workplace culture, management and overall job satisfaction, often through anonymous or confidential responses.

The hackers claimed that information obtained from the platform included various internal records and employee-related communications. However, the full extent of the data exposure remains unclear, and independent verification of the claims has not been reported.

Cybercriminal groups increasingly target third-party service providers to gain access to corporate information. Such attacks can expose data held by external vendors even when a company’s own systems remain secure.

Nintendo says systems remain secure

In a statement provided to BleepingComputer, Nintendo of America confirmed that a security incident involving TinyPulse had occurred but stressed that the impact was limited.

“We are aware of an issue involving TinyPulse, a third-party service used for internal employee surveys at Nintendo of America,” the company said.

The company emphasised that the breach did not involve Nintendo’s own infrastructure and that customer information was not affected.

“Nintendo’s systems have not been compromised, and no personal customer or financial data has been accessed.”

Nintendo also stated that only a small number of employees were impacted and noted that much of the information involved was several years old.

“The data involved is limited to internal survey content comprising a small subset of our employees, and most of the information dates back several years,” the company stressed.

The company added that it is currently working alongside the service provider to address the matter and manage any potential consequences arising from the breach.

Questions remain over leaked information

Following its initial claims, Shadowbyt3$ reportedly published a link to a dataset containing direct messages and employee conversations.

The release of the material may indicate that negotiations between the attackers and the affected parties did not progress as the group had hoped. It may also have been intended to increase pressure on those involved by demonstrating that data was in the hackers’ possession.

Despite the publication of the alleged dataset, cybersecurity researchers and independent analysts have not publicly verified its authenticity. As a result, it remains uncertain whether all of the information claimed by the group is genuine or complete.

The incident highlights the growing risks organisations face from attacks targeting third-party vendors and software providers. Even when core systems remain untouched, companies can still be exposed through external services that store employee or operational data.

For Nintendo, the breach appears to have been limited to information associated with an employee feedback platform rather than its gaming operations, customer accounts or financial systems. While the company has sought to minimise concerns about the incident, the case serves as another reminder of the challenges businesses face in protecting data held across complex networks of external partners and service providers.