Nintendo confirms that data was stolen in a cyber attack on its WebMD subsidiary

Nintendo of America confirmed to BleepingComputer that the attackers stole analysis knowledge from a third-party TinyPulse service used internally, however that its techniques weren’t compromised.

The corporate’s assertion comes within the wake of claims that the Shadowbyt3$ “extortion-as-a-service” menace group has leaked delicate knowledge associated to Nintendo of America workers.

“We’re conscious of a problem with TinyPulse, a third-party service utilized by Nintendo of America for inner worker surveys,” Nintendo stated.

“Nintendo’s techniques haven’t been compromised and no private buyer or monetary knowledge has been accessed. Nintendo’s techniques haven’t been compromised and no private buyer or monetary knowledge has been accessed.”

The corporate advised BleepingComputer that “the related knowledge is proscribed to inner investigations that characterize a small portion of the workforce, and many of the info dates again a number of years.”

Nintendo of America is a subsidiary of the Japanese gaming firm and is answerable for operations in america, Canada, and elements of Latin America.

TinyPulse is an worker engagement and suggestions platform used for nameless worker surveys, engagement analytics, suggestions assortment, and office tradition assessments.

The gaming firm stated it was “working with service suppliers to deal with the difficulty.”

BleepingComputer reached out to WebMD Well being Providers, the proprietor of the TinyPulse platform, for extra details about this incident and its impression, however didn’t obtain a response by the point of publication.

Shadowbyt3$ calls for $2 million ransom

Nintendo has acknowledged that solely analysis info was uncovered on this incident, however Shadowbyt3$ claims that the stolen info contains private info of its workers.

Within the first message, the attacker stated he stole almost 1 GB of knowledge from Nintendo and gave Nintendo 48 hours to barter earlier than leaking the data.

In accordance with the attackers, the stolen knowledge contains names, e mail addresses, analytics and analysis knowledge, financial institution statements, W-9 kinds with worker IDs, progress plans, and stories from 2016 to 2026.

Shadowbyt3$’s put up reads, “Please contact us and we will provide you with an additional day to suppose issues over. We’re demanding a $2 million ransom fee.”

In a second message, the menace actor clarified that “the breach doesn’t have an effect on Nintendo video games” however does have an effect on “a small variety of workers who work for Nintendo and used tinypulse.”

One other put up by Shadowbyt3$ warns that there shall be extra victims, offers a hyperlink to leaked knowledge that allegedly contains direct messages and conversations between workers, and means that Nintendo has not agreed to pay the ransom.

BleepingComputer has not downloaded the leaked knowledge and couldn’t affirm its authenticity. Even when the data is legitimate, Nintendo buyer info isn’t affected by this breach and account holders don’t must take any motion.

ShadowByt3$ is a comparatively new menace actor that has been lively since October 2025 and calls itself an “extortion-as-a-service group.” The gang has leaked stolen knowledge from sufferer firms that do not pay the ransom, and says that within the occasion of a settlement, all knowledge shall be “completely deleted and you’ll by no means hear from them once more.”

Nonetheless, regulation enforcement companies strongly discourage funds to hackers as a result of it encourages future assaults. Moreover, there isn’t a assure that menace actors won’t promote the data privately.