Technologynintendo data breach statement
Summary (tl;dr)
A hacker group claims to have stolen internal employee data from Nintendo of America via a third-party survey service and is demanding a $2 million ransom, though Nintendo states the breach is limited to old survey content and its main systems were not compromised.
Essential Background
Nintendo has previously experienced significant security incidents, including a data breach in 2020 that affected approximately 300,000 user accounts through its older Nintendo Network ID (NNID) system. This prior incident involved compromised login credentials and enabled unauthorized purchases on linked accounts. However, the current situation differs as it appears to target internal employee information rather than customer data.
The Full Story
A cybercriminal group known as "ShadowByt3$" (also referred to as "ShadowByte$") announced on June 13, 2026, that it had breached TinyPulse, a third-party service used by Nintendo of America for internal employee surveys. The hackers claimed to have exfiltrated approximately 859MB of confidential data, including employee names, email addresses, workforce surveys, internal reports, and potentially financial documents such as bank statements and W-9 forms. ShadowByt3$ demanded a $2 million ransom from Nintendo by June 15, 2026, threatening to release the data publicly if their demands were not met.
In response, Nintendo of America issued a statement acknowledging an "issue involving TinyPulse." However, the company clarified that its own internal systems were not compromised, and no personal customer or financial data was accessed. Nintendo stated that the exposed data is "limited to internal survey content comprising a small subset of our employees, and most of the information dates back several years." Following Nintendo's alleged refusal to pay, the hacker group has reportedly threatened to leak the data if TinyPulse, the third-party provider, does not comply with their demands.
Why It Matters
This incident underscores the critical cybersecurity risks associated with third-party vendors, as sensitive employee data can be exposed even when a primary company's systems remain secure. The potential exposure of internal employee information, including surveys, email addresses, and possibly financial details, raises significant privacy concerns for affected individuals and could lead to various malicious activities such as phishing attacks, identity theft, or further corporate espionage. The situation also highlights the growing trend of "extortion as a service" operations by cybercriminal groups and the complex decisions companies face regarding ransom payments.
Geographic Location
- Redmond, King County, Washington, United States (Nintendo of America uses the affected third-party service TinyPulse)