Nintendo of America has acknowledged that employee survey data was exposed through a security incident involving TinyPulse, a third-party platform used for internal feedback and engagement surveys. The company emphasized that its own systems were not compromised and that no customer or financial information was affected.

The confirmation follows claims made by the Shadowbyt3$ cybercrime group, which alleged that it had obtained sensitive information linked to Nintendo of America employees.

“We are aware of an issue involving TinyPulse, a third-party service used for internal employee surveys at Nintendo of America,” stated Nintendo.

“Nintendo’s systems have not been compromised, and no personal customer or financial data has been accessed. Nintendo’s systems have not been compromised, and no personal customer or financial data has been accessed."

"The data involved is limited to internal survey content comprising a small subset of our employees, and most of the information dates back several years,” the company told BleepingComputer.

Nintendo of America, which oversees operations across the United States, Canada, and parts of Latin America, explained that the affected information was restricted to internal survey content collected through TinyPulse.

TinyPulse is a workplace engagement platform that enables organizations to conduct anonymous employee surveys, gather feedback, analyze workforce sentiment, and assess company culture.

Nintendo added that it is “working with the service provider to address the issue.”

Meanwhile, BleepingComputer reached out to WebMD Health Services, the owner of TinyPulse, seeking additional details about the incident and its potential impact. However, no response had been received at the time of publication.

Despite Nintendo’s statement that only survey-related information was exposed, the Shadowbyt3$ group claims the stolen data includes more extensive employee records.

The threat actor initially alleged that nearly 1GB of data had been taken from Nintendo and gave the company 48 hours to begin negotiations before the information would be released publicly.

According to the group, the dataset contains employee names, email addresses, survey and analytics information, bank statements, W-9 forms, employee identification details, progress plans, and reports spanning from 2016 to 2026.

"If you contact us we give you an extra day to think this through. We are demanding a ransom payment of 2 million dollars," reads the Shadowbyt3$ post.

In a follow-up statement, the group claimed that the incident did not impact Nintendo’s gaming operations and instead affected “a small amount of employees that work for nintendo and have used tinypulse.”

The attackers later published another message suggesting additional organizations could be targeted and shared a link to what they claimed was leaked employee communications. The post implied that Nintendo declined to meet the ransom demand.

BleepingComputer stated that it did not download or verify the authenticity of the allegedly leaked files. Regardless of the claims, Nintendo has maintained that customer information was not involved in the incident and that users do not need to take any action.

Shadowbyt3$ is a relatively new cybercriminal operation that describes itself as an “extortion as a service” group and claims to have been active since October 2025. The group says it publishes stolen information from organizations that refuse to pay ransom demands and promises that data “will be Deleted Permanently and you will not hear from us again” if a payment agreement is reached.

Cybersecurity experts and law enforcement agencies continue to advise organizations against paying ransom demands, noting that doing so can encourage future attacks. They also warn that there is no assurance stolen information will not be retained or sold even after a payment is made.