Nintendo, the gaming giant behind Super Mario, The Legend of Zelda, and Pokemon, revealed that a subset of employee data had been exposed through a vulnerability in a third-party platform it uses for internal surveys. The company's own infrastructure, however, was not breached. The data, according to Nintendo, came from TinyPulse, an employee engagement and survey software platform that Nintendo had contracted to collect internal workplace feedback.
'Nintendo's systems have not been compromised, and no personal customer or financial data has been accessed,' the company said. It added: 'We are working with the service provider to address the issue.'
The breach occurred on 13 June, and a hacker group operating under the name SHADOWBYT3$ claimed responsibility for the attack. The group has since posted its demands on a cybercrime forum, demanding $2 million in exchange for not releasing the stolen files.
What SHADOWBYT3$ Claims to Have Stolen
The hacker group claims to have extracted approximately 859MB of data from the TinyPulse platform. According to reports citing the group's posting, the material includes:
- Full employee names
- Corporate email addresses
- Employee identification numbers
- Internal analytics reports
- HR survey responses
- Workplace feedback
- Organizational performance metrics
- Internal planning documentation
- W-9 forms
- Bank statement PDFs
The data reportedly spans a decade of corporate records, with material dating back to 2016.
Nintendo acknowledged the exposure is limited to 'internal survey content comprising a small subset of employees,' and characterised most of the information as several years old. The company said the stolen material is 'far more likely to be personal information about individuals who work for Nintendo than details about specific games and initiatives,' according to IGN.
Nintendo has suffered far more damaging breaches in the recent past. The so-called 'Gigaleak' and 'Teraleak' incidents, which emerged in 2020 and 2021 respectively, exposed source code, unreleased game prototypes, and internal development assets spanning decades of the company's history. The current incident does not appear to involve any intellectual property or product development data.
Nintendo also offered a statement on its internal culture around employee feedback: 'We appreciate our employees' willingness to share their perspectives, take all feedback seriously, and take action when needed.' The company did not address whether affected employees would be individually notified or whether it planned to discontinue use of the TinyPulse platform.
TinyPulse markets itself as an employee engagement tool, allowing organisations to run anonymous pulse surveys, gather workplace sentiment data, and track internal performance metrics. That use case requires the platform to hold a substantial volume of identifiable employee information, including names, corporate email addresses, and in some configurations, detailed HR data. When Nintendo contracted TinyPulse to handle those functions, it effectively transferred custody of that data to a third party whose security posture it cannot directly control.
Data breaches tracked across 2024 showed a 22% increase in incidents and a 178% rise in compromised records year over year, with 4.2 billion records compromised in total, according to Kiteworks, a secure content communications platform that tracks breach data.
Nintendo has not publicly disclosed what due diligence it performed on TinyPulse's security posture before or during the contract relationship. The company also has not confirmed whether TinyPulse notified Nintendo of the breach on June 13 when it occurred, or whether Nintendo learned of the incident through SHADOWBYT3$'s public forum posting two days later.
Neither Nintendo nor TinyPulse has responded to a request for a statement beyond Nintendo's official statement as of this writing.
