Nintendo America Data Breach: Shadowbyt3$ Exposes Employee Info via TinyPulse

Post Views: 13

Nintendo America Employee Data Exposed Following Cyberattack on Third-Party HR Platform

Breach Details

A breach involving a third-party human resources platform has led to the unauthorized disclosure of employee information associated with Nintendo of America. The incident, attributed to the cybercriminal group Shadowbyt3, targeted the cloud infrastructure of TinyPulse, a service used for employee surveys, feedback collection, and workforce analytics. The breach was confirmed by Nintendo after the threat actor publicly claimed responsibility for the data exfiltration. The attack did not directly compromise Nintendo’s internal systems but exploited vulnerabilities within the cloud environment of TinyPulse, which is owned by WebMD Health Services. This platform processes sensitive employee data for multiple clients, including workforce metrics and personal details.

Threat Actor and Ransom Demand

According to the threat actor’s claims, the breach involved the theft of an 859-megabyte dataset spanning records from 2016 to early 2026. However, Nintendo stated that the exposed data consists of a limited subset of historical employee survey responses. Shadowbyt3, an extortion-as-a-service group that emerged in October 2025, first announced the attack on June 12, 2026, demanding a ransom of $2 million from Nintendo. When the company refused, the group redirected its demands to TinyPulse, setting a deadline of June 16 for payment. Upon the deadline passing without resolution, Shadowbyt3 began releasing data samples on a dark web platform.

Leaked Files and Risks

The leaked files reportedly include bank statement PDFs, employee names and corporate addresses, W-9 tax forms containing identification numbers, internal chat logs, and human resources analytics reports.

Security researchers analyzing the samples confirmed that the data pertains to active Nintendo of America employees.

The exposure of W-9 forms and financial records poses significant risks for identity theft, as cybercriminals often use such information to file fraudulent tax returns. Additionally, the leaked banking details could enable targeted phishing campaigns leveraging corporate-specific data to deceive employees.

Multi-Tenant Architecture and Broader Implications

While Nintendo confirmed the breach is limited to its U.S.-based workforce, the multi-tenant architecture of TinyPulse means other organizations using the platform may also face exposure risks. The incident highlights the vulnerabilities inherent in third-party service dependencies and the broader implications for corporate data security. No further details about the breach’s technical execution or the threat actor’s methods have been disclosed.