Nintendo of America has confirmed that employee survey data was exposed in the recent TinyPulse cyberattack, although the company emphasized that its own systems were not breached and that no customer or financial information was accessed. The disclosure follows claims by the threat actor Shadowbyt3$, which alleged it had stolen sensitive information linked to Nintendo employees.
In a statement addressing the TinyPulse cyberattack, Nintendo said it was aware of an issue involving TinyPulse, a third-party platform used for internal employee surveys. According to the company, the incident was limited to data held by the service provider rather than Nintendo’s internal infrastructure.
“We are aware of an issue involving TinyPulse, a third-party service used for internal employee surveys at Nintendo of America,” Nintendo stated.
The company further clarified that “Nintendo’s systems have not been compromised, and no personal customer or financial data has been accessed.”
Nintendo Says Exposure Was Limited in the TinyPulse Cyberattack
According to Nintendo, the data affected by the TinyPulse cyberattack consisted of internal survey content involving only a small subset of employees. The company added that most of the information dated back several years.
“The data involved is limited to internal survey content comprising a small subset of our employees, and most of the information dates back several years,” Nintendo told media outlets.
Nintendo of America, a subsidiary of the Japanese gaming giant Nintendo, oversees operations across the United States, Canada, and parts of Latin America. TinyPulse is an employee engagement and feedback platform that supports anonymous surveys, workplace culture assessments, engagement analytics, and feedback collection.
Nintendo said it is currently “working with the service provider to address the issue.”
The Cyber Express has also reached out to Nintendo for additional details regarding the TinyPulse cyberattack. However, no further statement had been received at the time of publication.
Shadowbyt3$ Claims Broader Data Theft
Despite Nintendo’s assessment of the incident, the threat actor Shadowbyt3$ has claimed that the stolen information extends beyond employee survey responses and includes personal employee data.
In an initial message, Shadowbyt3$ alleged that nearly 1GB of data had been exfiltrated from Nintendo and gave the company 48 hours to enter negotiations before the information would be leaked.
The threat actor claimed the dataset contains full names, email addresses, analytics and survey data, bank statements, W-9 forms with employee IDs, progress plans, and reports spanning from 2016 to 2026.
“If you contact us we give you an extra day to think this through. We are demanding a ransom payment of 2 million dollars,” the Shadowbyt3$ post stated.
Threat Actor Issues Additional Warnings
In a follow-up message, Shadowbyt3$ clarified that the alleged breach “doesn’t affect nintendo gaming” but instead impacts “a small amount of employees that work for nintendo and have used tinypulse.”
The threat actor later published another post warning that more victims would emerge. The message included a link to allegedly leaked data containing direct messages and employee conversations, suggesting Nintendo did not agree to pay the $2 million ransom demand.
As of now, Nintendo maintains that the TinyPulse cyberattack was limited in scope and did not compromise its internal systems, while Shadowbyt3$ continues to assert that more sensitive employee information was stolen.
