Executive Summary
Nintendo of America has confirmed that internal employee survey data was stolen in a cyberattack targeting TinyPulse, a third-party employee engagement platform owned by WebMD Health Services. The breach did not compromise any of Nintendo’s own systems, and no customer or financial data was accessed. The threat actor, known as Shadowbyt3$, claims to have exfiltrated approximately 1GB of data, including employee names, email addresses, analytics and survey data, bank statements, and W-9 forms with employee IDs, progress plans, and reports spanning from 2016 to 2026. The attacker demanded a $2 million ransom and threatened to leak the data if Nintendo did not comply. Nintendo is working with the service provider to address the incident. The breach is limited to internal employee data and does not affect Nintendo’s gaming operations or customer information. Law enforcement and security advisories recommend against paying ransoms and emphasize the importance of third-party risk management. All information in this summary is based on primary, independently corroborated sources as of June 21, 2026. (https://www.bleepingcomputer.com/news/security/nintendo-confirms-data-stolen-in-webmd-subsidiary-cyberattack/, https://www.privacyguides.org/news/2026/06/19/data-breach-roundup-june-12-18-2026/, https://radar.offseq.com/threat/nintendo-confirms-data-stolen-in-webmd-subsidiary--f2b476f7791428f0)
Technical Information
The breach originated from a compromise of the TinyPulse SaaS (Software-as-a-Service) platform, which is used by Nintendo of America for internal employee surveys, engagement analytics, and workplace culture assessments. TinyPulse is owned by WebMD Health Services. There is no evidence that Nintendo’s own IT infrastructure or networks were accessed or compromised. The attack was limited to the third-party service provider.
The threat actor, Shadowbyt3$, describes itself as an "extortion-as-a-service" group and has been active since October 2025. The group claims to have exfiltrated nearly 1GB of data, including full names, email addresses, analytics and survey data, bank statements, and W-9 forms with employee IDs, progress plans, and reports from 2016 to 2026. The attacker issued a $2 million ransom demand and threatened to leak the data if Nintendo did not engage in negotiations. Public posts by Shadowbyt3$ indicate that the breach does not affect Nintendo’s gaming operations but is limited to a subset of employees who used TinyPulse.
Technical analysis from Offseq Radar and BleepingComputer confirms that the attack vector was a supply chain compromise via the SaaS provider. The attacker likely leveraged legitimate access or exploited weaknesses in the TinyPulse platform to collect and exfiltrate sensitive employee data. There is no evidence of malware deployment, endpoint compromise, or lateral movement within Nintendo’s own infrastructure. The extortion tactics used by Shadowbyt3$ are consistent with recent trends in data theft and ransom operations targeting SaaS platforms.
The incident highlights the risks associated with third-party SaaS platforms, particularly those handling sensitive HR or employee data. The attack demonstrates that even organizations with robust internal security controls can be exposed through their vendors. The breach poses a risk to affected employees’ privacy and may lead to extortion or identity theft attempts. However, Nintendo’s operational systems and customer data remain secure and unaffected.
Mapping the attack to the MITRE ATT&CK framework, the following techniques are relevant:
- Initial Access: Supply Chain Compromise (T1195.002: Compromise of SaaS Applications) – The attacker gained access via a third-party SaaS provider, not through Nintendo’s own infrastructure. (https://attack.mitre.org/techniques/T1195/002/)
- Collection: Data from Information Repositories (T1213) – The attacker collected sensitive employee data stored in TinyPulse. (https://attack.mitre.org/techniques/T1213/)
- Exfiltration: Exfiltration Over Web Service (T1567.002) – Data was exfiltrated from the SaaS platform, likely using legitimate APIs or export functions. (https://attack.mitre.org/techniques/T1567/002/)
- Impact: Data Encrypted for Impact/Extortion (T1486, T1489) – The attacker used the stolen data for extortion, threatening public release unless a ransom was paid. (https://attack.mitre.org/techniques/T1486/)
No specific malware or exploit tools have been publicly identified in this incident as of June 21, 2026. The attack appears to have relied on access to the SaaS platform rather than deploying malware on endpoints or networks.
Attribution to Shadowbyt3$ is based on public claims and extortion posts by the group, but there are no technical artifacts (such as malware samples or unique tactics, techniques, and procedures) directly linking them to the breach. All technical evidence points to a third-party SaaS compromise and data exfiltration, consistent with the group’s claimed modus operandi.
The incident underscores the importance of robust third-party risk management, especially for organizations in the technology and gaming sectors that rely on SaaS platforms for HR and employee engagement functions.
Affected Versions & Timeline
The affected platform is TinyPulse, an employee engagement and feedback SaaS solution owned by WebMD Health Services. The breach impacted internal survey data and potentially sensitive personal employee information for a subset of Nintendo of America employees who used TinyPulse between 2016 and 2026. No Nintendo customer data, financial data, or gaming infrastructure was affected.
The verified timeline of events is as follows:
On June 18, 2026, Nintendo confirmed to BleepingComputer that survey data was stolen from TinyPulse, but no Nintendo systems or customer data were compromised. (https://www.bleepingcomputer.com/news/security/nintendo-confirms-data-stolen-in-webmd-subsidiary-cyberattack/)
On June 18, 2026, Offseq Radar published a technical summary confirming the breach, the ransom demand, and the scope of compromised data. (https://radar.offseq.com/threat/nintendo-confirms-data-stolen-in-webmd-subsidiary--f2b476f7791428f0)
On June 19, 2026, Privacy Guides included the incident in its weekly roundup, confirming the breach and the types of data claimed by the attackers. (https://www.privacyguides.org/news/2026/06/19/data-breach-roundup-june-12-18-2026/)
The breach is limited to internal employee data collected via TinyPulse and does not affect Nintendo’s gaming operations or customer information.
Threat Activity
The threat actor responsible for the breach is Shadowbyt3$, an "extortion-as-a-service" group active since October 2025. The group claims to have exfiltrated approximately 1GB of data from TinyPulse, including employee names, email addresses, analytics and survey data, bank statements, and W-9 forms with employee IDs, progress plans, and reports from 2016 to 2026.
Shadowbyt3$ issued a $2 million ransom demand and threatened to leak the data if Nintendo did not engage in negotiations. Public posts by the group indicate that the breach is limited to a subset of Nintendo of America employees who used TinyPulse and does not affect Nintendo’s gaming operations or customer information.
The group’s tactics are consistent with recent trends in data theft and extortion targeting SaaS platforms. Shadowbyt3$ operates by exfiltrating sensitive data from third-party providers and demanding ransom payments, threatening public disclosure if their demands are not met. Law enforcement and security advisories strongly discourage paying ransoms, as it incentivizes further attacks and does not guarantee data deletion.
There is no evidence of malware deployment, endpoint compromise, or lateral movement within Nintendo’s own infrastructure. The attack was conducted entirely through access to the TinyPulse SaaS platform.
Mitigation & Workarounds
Nintendo is working with TinyPulse and its parent company, WebMD Health Services, to address and remediate the breach. Since Nintendo’s own systems were not compromised and customer data was not accessed, no direct action is required from Nintendo customers or account holders.
Organizations using third-party SaaS platforms, especially for HR or employee engagement functions, should review their vendor security posture and monitor for any further disclosures or ransom demands. It is critical to ensure that third-party providers implement robust security controls, including access management, data encryption, and regular security assessments.
Law enforcement and security advisories recommend against paying ransoms, as doing so encourages further attacks and does not guarantee that stolen data will be deleted or not misused.
Affected employees should be notified and provided with guidance on monitoring for identity theft or extortion attempts. Organizations should review their incident response and third-party risk management processes to ensure they are prepared for similar supply chain attacks.
References
https://www.bleepingcomputer.com/news/security/nintendo-confirms-data-stolen-in-webmd-subsidiary-cyberattack/ (June 18, 2026)
https://www.privacyguides.org/news/2026/06/19/data-breach-roundup-june-12-18-2026/ (June 19, 2026)
https://radar.offseq.com/threat/nintendo-confirms-data-stolen-in-webmd-subsidiary--f2b476f7791428f0 (June 18, 2026)
https://attack.mitre.org/techniques/T1195/002/
https://attack.mitre.org/techniques/T1213/
https://attack.mitre.org/techniques/T1567/002/
https://attack.mitre.org/techniques/T1486/
https://appomni.com/blog/saas-supply-chain-attacks-mitre-attck-mapping/
About Rescana
Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with their vendors and supply chain partners. Our platform enables continuous monitoring of third-party SaaS providers, supports incident response workflows, and assists in evaluating vendor security controls. For questions about this incident or to discuss third-party risk management strategies, contact us at ops@rescana.com.
