A third-party human resources platform called TinyPulse has become the victim of a supply-chain attack that resulted in the exfiltration of records belonging to Nintendo of America employees. The breach was confirmed by Nintendo following claims from the notorious Shadowbyt3 extortion group.
The attackers, reportedly, didn’t compromise Nintendo’s own network perimeter, but accessed the cloud environment of TinyPulse. For your information, this is an employee survey, feedback, and workforce analytics platform owned by WebMD Health Services. Since TinyPulse aggregates workforce metrics and personnel details of its client base, the infrastructure contained a large volume of identifiable employee data.
Breach Details and Attribution
Shadowbyt3$, which emerged in October 2025 and operates as an extortion-as-a-service group, published this claim in the attack on 12 June 2026, and demanded a ransom payment of 2 million USD from Nintendo to prevent public data exposure. The group gave a 48-hour deadline to Nintendo for ransom payment, but the gaming giant declined to negotiate with them.
Following Nintendo’s refusal, Shadowbyt3$ shifted its financial demands directly to TinyPulse, setting a secondary deadline of 16 June. When this deadline passed without payment, they started leaking data samples onto their dark web platform.
Shadowbyt3$ claims to have stolen an 859-megabyte dataset comprising records from 2016 to early 2026, whereas according to Nintendo’s official statement, the exposed data is limited to a small subset of internal employee survey responses from previous years. Hackers still allege the files contain:
- Bank statement PDFs
- Employee names and corporate email addresses
- W-9 tax forms containing employee identification numbers
- Private messages and internal chat logs between staff members
- Workforce progress plans and human resources analytics reports
Security experts have reviewed the published sample files and verified that multiple named individuals are active Nintendo of America employees.
Ongoing Security Risks for Corporate Personnel
The exposure of W-9 tax documents and financial records introduces long-term identity theft risks because hackers routinely use this information to file fraudulent tax returns and divert financial refunds. Along with that, the exfiltrated banking details can help scammers to create targeted phishing emails using accurate corporate details to manipulate victims.
However, since TinyPulse operates a multi-tenant software architecture serving hundreds of corporate clients, other businesses using the platform may face similar data exposure risks.
Nintendo confirmed that the scope of the incident is restricted to Nintendo of America personnel. It is still recommended that any employee who uses the TinyPulse platform must implement credit freezes with reliable credit bureaus like Equifax, Experian, and TransUnion. They must also carefully monitor their tax filings for unauthorized changes.
