### Third-Party Vendor Compromise Leads to Data Exposure **Nintendo of America**, a subsidiary of the Japanese gaming giant, has acknowledged an incident impacting **TinyPulse**, an employee engagement and feedback platform used internally. The breach, confirmed by Nintendo, resulted in the theft of survey data from the third-party service. Crucially, Nintendo maintains that its own systems were not compromised, and no personal customer or financial data was accessed. "We are aware of an issue involving **TinyPulse**, a third-party service used for internal employee surveys at **Nintendo of America**," the company stated. "**Nintendo's** systems have not been compromised, and no personal customer or financial data has been accessed. The data involved is limited to internal survey content comprising a small subset of our employees, and most of the information dates back several years." **TinyPulse**, now owned by **WebMD Health Services**, specializes in anonymous employee surveys, engagement analytics, and workplace culture assessments. **Nintendo** has indicated it is "working with the service provider to address the issue." ### Shadowbyt3$ Demands $2 Million Ransom The confirmation from **Nintendo** follows claims by **Shadowbyt3$**, an "extortion-as-a-service" threat group. The group alleges to have exfiltrated nearly 1GB of sensitive data related to **Nintendo of America** employees. Contrary to Nintendo's assessment that only survey content was exposed, **Shadowbyt3$** asserts that the stolen information includes full names, email addresses, analytics and survey data, bank statements, and W-9 forms with employee IDs, progress plans, and reports spanning from 2016 to 2026.  In their initial communication, **Shadowbyt3$** issued a 48-hour ultimatum for **Nintendo** to engage in negotiations, demanding a $2 million ransom. A subsequent message from the threat actor clarified that the breach specifically affects "a small amount of employees that work for **Nintendo** and have used **TinyPulse**," not the broader **Nintendo** gaming ecosystem.  Further posts from **Shadowbyt3$** hinted at more victims and provided a link to allegedly leaked data, including direct messages and conversations between employees, suggesting that **Nintendo** did not comply with the ransom demand. While the authenticity of the leaked data could not be independently verified, **Nintendo** reiterates that customer information remains unaffected. ### The Rise of Extortion-as-a-Service **Shadowbyt3$** describes itself as an "extortion as a service group" operational since October 2025. Their modus operandi involves leaking data from victim companies that refuse to pay a ransom, with a promise of permanent data deletion upon settlement. However, law enforcement agencies consistently advise against paying ransoms, as it incentivizes further attacks and offers no guarantee that the stolen data will not be privately sold or further exploited.