Nintendo employee data stolen from third-party HR-survey SaaS (TinyPulse), not Nintendo's own systems

Nintendo of America confirmed that the extortion group Shadowbyt3$ stole a trove of employee data — not from Nintendo's perimeter, but from TinyPulse, an employee-engagement / pulse-survey SaaS owned by WebMD Health Services (BleepingComputer, 2026-06-18). The exfiltrated dataset (2016–early 2026) reportedly includes employee names, email addresses, W-9 tax forms, bank-statement PDFs and HR analytics (TechNadu, 2026-06-18). The actors demanded USD 2 million from Nintendo on 12 June with a 48-hour deadline; when Nintendo refused, they redirected extortion to TinyPulse directly and began releasing samples. Nintendo characterised the exposure as "internal survey content" for a small subset of employees — narrower than the attacker's claims.