TinyPulse, a human resources platform utilized by various organizations, has fallen victim to a supply-chain attack, compromising sensitive employee records of Nintendo of America. This breach has been corroborated by Nintendo in response to claims made by the extortion group known as Shadowbyt3.
The attack did not breach Nintendo’s internal network but instead targeted the cloud infrastructure of TinyPulse, which is owned by WebMD Health Services. Given that TinyPulse aggregates workforce metrics and employee information, the system contained a significant amount of identifiable data related to employees.
Breach Details and Attribution
Shadowbyt3$, an extortion group that surfaced in October 2025, publicly claimed responsibility for this attack on 12 June 2026. They demanded a ransom of $2 million from Nintendo to safeguard against the public release of data. Nintendo’s refusal to negotiate prompted Shadowbyt3$ to direct their financial demands toward TinyPulse, subsequently setting a payment deadline for 16 June. After that deadline passed without compliance, they began leaking samples of the data on their dark web platform.
The exposed dataset reportedly spans 859 megabytes and includes records dating from 2016 to early 2026. However, Nintendo has stated that the leaked information primarily consists of a limited selection of internal employee survey responses from previous years. Nonetheless, Shadowbyt3$ continues to allege that the data includes sensitive documents, such as:
- Bank statement PDFs
- Names and corporate email addresses of employees
- W-9 forms featuring employee identification numbers
- Internal messages and chat logs among staff
- HR analytics reports and workforce plans
Cybersecurity analysts have examined the leaked files and have confirmed that they contain data linked to active employees of Nintendo of America.
Ongoing Security Risks for Corporate Personnel
The exposure of W-9 forms and financial records raises significant risks of identity theft, as this information can be exploited by cybercriminals to file fraudulent tax returns or divert refunds. The leaked banking information can also facilitate targeted phishing attacks using accurate organizational details to mislead victims.
It’s important to note that TinyPulse’s multi-tenant architecture serves numerous businesses, which increases the risk of similar data exposures for other clients utilizing the platform. Nintendo has confirmed that the incident’s effects are confined to Nintendo of America employees but advises those impacted to take precautions. Employees are encouraged to implement credit freezes with major credit bureaus and closely monitor their tax filings for unauthorized modifications.