Nintendo confirms – Nintendo of America says threat actors stole survey data from its third-party TinyPulse service, but the company insists its systems were not compromised and no customer or financial data was accessed. The claim follows an extortion demand from Shadowbyt3$ for
The email didn’t land in Nintendo’s inbox as a surprise for long—by the time the threat actor began posting details publicly, Nintendo of America had already drawn a hard line between what was stolen and what was not.
Nintendo confirmed it was an issue involving TinyPulse, a third-party service the company uses internally for employee surveys. In a statement. Nintendo said it is aware of “an issue involving TinyPulse” and that “Nintendo’s systems have not been compromised. and no personal customer or financial data has been accessed.”.
The company also said the data involved is limited to internal survey content covering “a small subset of our employees,” and that “most of the information dates back several years.” Nintendo added that it is working with the service provider to address the issue.
TinyPulse is used for employee engagement and feedback, including anonymous employee surveys, engagement analytics, feedback collection, and workplace culture assessments. Nintendo of America—responsible for operations in the United States. Canada. and parts of Latin America—said TinyPulse is the affected piece of its internal workflow rather than something that reached customer systems.
That distinction is now at the center of a tense dispute with Shadowbyt3$, which describes itself as an “extortion-as-a-service” threat group operating since October 2025.
Shadowbyt3$ says it exfiltrated sensitive information and demanded a payout. In one of its initial posts. the group claimed it stole close to 1GB of data from Nintendo and gave the company 48 hours to negotiate before leaking it. The threat actor wrote. “We are demanding a ransom payment of 2 million dollars.” In that same message. the group also said that if Nintendo contacted them. it would “give you an extra day to think this through.”.
While Nintendo insists only survey information was exposed, Shadowbyt3$ claims the stolen material includes employee personal details. The threat actor alleged the data includes full names. email addresses. analytics and survey data. bank statements. and W-9 forms containing employee IDs. progress plans. and reports covering the period between 2016 and 2026.
In a second message. Shadowbyt3$ tried to narrow what it said was actually affected: it claimed the “breach doesn’t affect nintendo gaming. ” but it targeted “a small amount of employees that work for nintendo and have used tinypulse.” The group also warned that there would be more victims and shared a link to leaked data. alleging it included direct messages and conversations between employees—along with an implication that Nintendo did not agree to pay the ransom.
Nintendo’s public message stands in contrast to those claims. The company’s statement says its systems were not compromised, and it repeatedly draws the boundary that customer information was not accessed. The company also said the incident involved limited internal survey content.
BleepingComputer contacted WebMD Health Services. described as the owner of the TinyPulse platform. for more information about the incident and its impact. but it did not receive a response by publishing time. BleepingComputer also said it did not download the leaked data and could not confirm its authenticity. Even if the information is valid. BleepingComputer stated that Nintendo customer information remained unaffected and account holders do not need to take any action.
Shadowbyt3$ has its own terms for what it says it will do next. It claims that if a settlement is reached. all data “will be Deleted Permanently and you will not hear from us again.” But law enforcement strongly discourages paying hackers because it incentivizes future attacks. and there is no guarantee the threat actor won’t privately sell information later.
For Nintendo. the immediate challenge is managing the gap between what it says happened—survey data from TinyPulse. no system compromise—and what the extortion group says it took. including claims of employee banking and tax documents. For employees. the practical worry is simpler and more personal: even limited internal data can carry real consequences when it’s no longer private—and when the timeline of exposure stretches back years.
Nintendo of America TinyPulse cyberattack stolen data Shadowbyt3$ extortion ransom employee surveys WebMD Health Services cybersecurity