Nintendo’s biggest year just got hit with an unwelcome headline. An extortion-as-a-service group going by the name ShadowByt3$ has claimed responsibility for a data breach targeting Nintendo of America, reportedly stealing close to 1GB of sensitive employee data and demanding a $2 million ransom. But is the company really in trouble? Here’s a breakdown of everything that’s happened so far, and what Nintendo had to say about it.
What Did the ShadowByt3$ Hack Actually Steal?
First and foremost, it’s important to make note of the fact that the breach did not come from cracking the company’s core systems directly. Instead, ShadowByt3$ exploited TINYpulse, a third-party HR platform used by Nintendo of America to run internal employee engagement surveys. (via Cyberpress)
In hindsight, this is yet another classic supply chain attack vector that ransomware groups have increasingly used in recent years to gain access to unauthorized data. This time around, this particular group has claimed to have their hands on approximately 859 MB of data, spanning a decade of records from 2016 to 2026.
What’s exposed inside? Well, reportedly, it includes employee names, email addresses, W-9 tax forms, bank statement PDFs, internal analytics reports, workplace feedback submissions, and private employee communications. Cybernews further reviewed samples of the leaked data and found that several individuals identified in the survey records were still employed at Nintendo, giving some credibility to the claim.
Nintendo’s Official Response
ShadowByt3$ initially gave Nintendo a 48-hour deadline, until June 15, to respond before threatening to leak everything publicly. When Nintendo reportedly declined to engage (via Kotaku), the group pivoted its demands directly to TINYpulse, extending the deadline by a further day and warning that private employee messages and sensitive financial records would be released if payment wasn’t made.
Nintendo of America broke its silence on June 16, 2026, issuing a formal statement to Nintendo Life that offered some clarity, though not complete reassurance. The company confirmed it was aware of the TINYpulse situation, but was clear that Nintendo’s own internal systems had not been compromised.
We are aware of an issue involving TinyPulse, a third-party service used for internal employee surveys at Nintendo of America. Nintendo’s systems have not been compromised, and no personal customer or financial data has been accessed. The data involved is limited to internal survey content comprising a small subset of our employees, and most of the information dates back several years.
We appreciate our employees’ willingness to share their perspectives, take all feedback seriously, and take action when needed.
We are working with the service provider to address the issue.
Additionally, according to the company, no personal consumer data or financial information tied to players was accessed at any point during the incident. Nintendo also confirmed it is actively working with TINYpulse to address the issue, though it has not yet disclosed whether it intends to take any legal action against the bad actors.
For Switch 2 owners and Nintendo customers broadly, this breach appears to pose no immediate risk. Your personal data was not part of what the hacking group claims to have obtained. This also isn’t the largest breach the company has seen. The 2024 Pokémon Company Gamefreak’s Teraleak was way bigger than this in both scale and scope.
Click Here For The Original Source.
