Nintendo faces $2M ransom after employee data breach via TinyPulse
Nintendo says its systems weren't breached and no customer data was accessed, but a hacker group claims to have stolen internal employee survey data from third-party platform TinyPulse — and is demanding $2 million to keep it private.
A hacker group called ShadowBytes is threatening to leak Nintendo employee data unless the company pays a $2 million ransom, as reported by VGC and Kotaku. The group claims to have stolen 859MB of data from TinyPulse, a third-party service Nintendo of America uses for internal employee surveys. Nintendo has pushed back, saying its own systems were not breached and that no customer or financial data was accessed.
Key Takeaways
- Hacker group ShadowBytes claims to have stolen 859MB of data from TinyPulse, a third-party employee survey platform used by Nintendo of America.
- ShadowBytes is demanding a $2 million ransom, threatening to leak employee emails, names, and private messages if unpaid.
- Nintendo confirmed the breach but said no customer or financial data was accessed — only internal survey content from a small number of employees.
- Most of the data involved dates back several years, according to Nintendo of America's official statement.
- TinyPulse has also been threatened by the group after Nintendo allegedly declined to pay.
What did ShadowBytes claim to steal?
ShadowBytes — which describes itself as an "extortion as a service group" — claims the stolen dataset includes employee names, email addresses, private messages, survey responses, analytics reports, and bank statement PDFs. The group posted about the alleged breach on 13 June 2026, citing a claimed sample of 859MB of data pulled from TinyPulse's systems.
The group says Nintendo refused to pay, so it shifted its demand to TinyPulse directly. "Nintendo decided to not pay so we are demanding that TinyPulse pay or all data will be leaked including private messages of Nintendo employees," ShadowBytes said in a statement. "Private messages are about to not become private if TinyPulse doesn't reach an agreement with us."
TinyPulse has not issued a public statement in response to the threat. Neither the 859MB data sample nor the group's specific claims about bank statements have been independently verified.
What does Nintendo say?
Nintendo of America responded with a statement that directly contradicts the most alarming parts of ShadowBytes' claims. According to Nintendo, no customer data or financial records were accessed — only internal survey content from a limited number of employees, most of which is several years old.
"Nintendo's systems have not been compromised, and no personal customer or financial data has been accessed," the company said in a statement provided to Kotaku. "The data involved is limited to internal survey content comprising a small subset of our employees, and most of the information dates back several years."
Nintendo added it is "working with the service provider to address the issue." The company did not clarify how many employees were affected, nor did it address ShadowBytes' specific claim that the dataset includes bank statements — a direct contradiction worth noting.
Why this matters beyond Nintendo
This incident follows a broader pattern of gaming companies being targeted through third-party vendors rather than their core infrastructure. Earlier this year, Rockstar confirmed a data breach linked to a separate hacker group. In both cases, attackers found an entry point through peripheral services rather than the companies' primary systems.
The ShadowBytes breach highlights a specific risk: employee feedback platforms hold candid, often sensitive internal data that companies may not treat with the same security rigour as customer databases. Even if Nintendo's customer-facing systems are secure, its employees could face real consequences — exposed private messages, names, and contact details — if TinyPulse fails to reach an agreement with the group.
It's also a reminder that third-party data handling is one of the hardest attack surfaces to control. A company can invest heavily in its own security and still be exposed through a vendor it relies on for routine HR tasks. AI-driven security tools are increasingly being deployed to monitor exactly these kinds of supply-chain vulnerabilities.
Frequently Asked Questions
Was Nintendo customer data stolen in the ShadowBytes hack?
No. According to Nintendo of America, no personal customer or financial data was accessed. The breach was limited to internal employee survey data held by TinyPulse, a third-party platform. Nintendo's own systems were not compromised.
What is TinyPulse and why does Nintendo use it?
TinyPulse is an employee feedback platform used by companies to run internal surveys. Nintendo of America used it to gather perspectives from staff. It is not connected to Nintendo's customer-facing services, Nintendo accounts, or the eShop.
How much ransom is ShadowBytes demanding?
ShadowBytes is demanding $2 million. The group initially targeted Nintendo, but after Nintendo reportedly declined to pay, it shifted its demand to TinyPulse, threatening to leak private employee messages and data if no agreement is reached.
Should Nintendo Switch 2 owners be concerned?
Based on Nintendo's statement, no. The breach involves internal HR survey data, not Nintendo account credentials or payment information. There is no reported risk to Nintendo eShop accounts or Switch console users. Standard advice applies: use strong, unique passwords and enable two-factor authentication.
Has TinyPulse responded to the ShadowBytes threat?
Not publicly. As of the time of writing, TinyPulse had not issued a statement addressing ShadowBytes' claims or the ransom demand. Nintendo said it is "working with the service provider to address the issue."
Written by
Subscribe to our newsletter
Subscribe to our newsletter to get the latest updates and news
Member discussion