Nintendo Confirms Data Stolen
Overview Nintendo of America has confirmed that threat actors stole internal survey data from TinyPulse, a third‑party employee engagement platform owned by WebMD Health Services. While Nintendo’s own systems remain secure, the incident highlights how supply‑chain vulnerabilities can expose corporate information even when core infrastructure is unaffected. What Happened Nintendo acknowledged that the breach originated from TinyPulse, a service used for anonymous employee surveys and feedback analytics. The company stated that no customer or financial data was accessed and that the compromised information was limited to older survey records from a small subset of employees. “Nintendo’s systems have not been compromised, and no personal customer or financial data has been accessed,” the company told BleepingComputer. Nintendo is now working closely with WebMD Health Services to investigate and contain the incident. The Threat Actor: Shadowbyt3$ The attack was claimed by Shadowbyt3$, a relatively new “extortion‑as‑a‑service” group active since October 2025. The gang allegedly stole close to 1 GB of data and demanded a $2 million ransom, giving Nintendo 48 hours to negotiate before leaking the information. Shadowbyt3$ Claims: The group posted messages on dark‑web forums offering to delete the data “permanently” if the ransom was paid. However, law enforcement and cybersecurity experts warn that paying ransom demands only encourages future attacks and offers no guarantee that data won’t be sold privately. Understanding the Supply‑Chain Risk This incident illustrates how third‑party platforms can become entry points for data exfiltration even when primary systems are secure. Vector Description Impact Third‑Party Service Compromise Attackers target vendors with weaker security controls. Indirect exposure of corporate data. Extortion‑as‑a‑Service Criminal groups offer ransom operations as subscription services. Expands reach and frequency of attacks. Data Leak Amplification Stolen data used to pressure multiple organizations in the same supply chain. Multi‑company reputational damage. Nintendo’s case shows that even non‑technical data like employee surveys can be weaponized for extortion and social engineering. […]