Nintendo employee data stolen from third-party HR-survey SaaS TinyPulse (Shadowbyt3$ extortion)

Nintendo of America confirmed that the extortion group Shadowbyt3$ stole a trove of employee data — not from Nintendo's perimeter, but from TinyPulse, an employee-engagement / pulse-survey SaaS owned by WebMD Health Services (BleepingComputer, 2026-06-18). The exfiltrated dataset (2016–early 2026) reportedly includes employee names, email addresses, W-9 tax forms, bank-statement PDFs and HR analytics (TechNadu, 2026-06-18). The actors demanded USD 2 million from Nintendo on 12 June with a 48-hour deadline; when Nintendo refused, they redirected extortion to TinyPulse directly and began releasing samples. Nintendo characterised the exposure as "internal survey content" for a small subset of employees — narrower than the attacker's claims.

Defender takeaway: HR/engagement SaaS tenants (TinyPulse, Glint, Culture Amp, Leapsome, Qualtrics) routinely store financial-onboarding documents far beyond their nominal survey use-case and are under-weighted in third-party risk reviews. Enforce DLP classification on uploads to these platforms, inventory what data classes each tenant actually retains in its own cloud storage, and treat SSO integrations whose SaaS keeps a separate credential store as a lateral-movement path from one compromised employee credential to the vendor's full dataset.