How did ShadowByt3$ gain access to Nintendo's data?

ShadowByt3$ exploited vulnerabilities in TinyPulse, a third-party service used by Nintendo for internal employee surveys, to exfiltrate the data.

What steps is Nintendo taking in response to the breach?

Nintendo is working with TinyPulse to address the issue and has confirmed that its internal systems, as well as customer and financial data, were not compromised.

Nintendo's 2026 Data Breach: A Wake-Up Call for Third-Party Security

Discover how the ShadowByt3$ ransomware group exploited a third-party service to breach Nintendo's internal data, and what this means for organizational cybersecurity.

Published: June 18, 2026

Share this on:

Executive Summary

In June 2026, Nintendo of America experienced a data breach through TinyPulse, a third-party service used for internal employee surveys. The cybercriminal group ShadowByt3$ claimed responsibility, alleging they exfiltrated approximately 859 MB of sensitive data, including employee names, email addresses, bank statements, and W-9 forms. Nintendo confirmed the breach but stated that only internal survey content from a small subset of employees was affected, with most information dating back several years. The company's internal systems, as well as customer and financial data, remained uncompromised.

This incident underscores the growing threat posed by emerging ransomware groups like ShadowByt3$, which, despite their relatively recent appearance, are capable of targeting major corporations through third-party service vulnerabilities. Organizations must reassess their third-party risk management strategies to prevent similar breaches.

Why This Matters Now

The Nintendo breach highlights the critical need for organizations to secure third-party services, as attackers increasingly exploit these vectors to access sensitive data. With ransomware groups like ShadowByt3$ evolving rapidly, proactive measures are essential to mitigate emerging threats.

Attack Path Analysis

The Shadowbyt3$ group exploited a vulnerability in the third-party TinyPulse service to gain unauthorized access to Nintendo's internal survey data. They escalated their privileges within the TinyPulse environment to access sensitive employee information. Utilizing the compromised access, they moved laterally within the service to gather additional data. The exfiltrated data was then transmitted over encrypted channels to external servers controlled by the attackers. The stolen data, including employee personal details, was used to extort Nintendo for a $2 million ransom. Upon Nintendo's refusal to pay, the attackers leaked the data publicly, impacting the company's reputation and employee privacy.

Kill Chain Progression

Initial Compromise

Mediuminferred

Privilege Escalation

Lowinferred

Lateral Movement

Lowinferred

Command & Control

Lowinferred

Exfiltration

Mediuminferred

Impact

Mediuminferred

Initial Compromise

Description

The Shadowbyt3$ group exploited a vulnerability in the third-party TinyPulse service to gain unauthorized access to Nintendo's internal survey data.

Confidence:

Medium

MITRE ATT&CK® Techniques

Initial Access

T1190

Exploit Public-Facing Application

Initial Access

T1078

Valid Accounts

Exfiltration

T1567

Exfiltration Over Web Service

Impact

T1486

Data Encrypted for Impact

Impact

T1490

Inhibit System Recovery

Command and Control

T1071

Application Layer Protocol

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.

Control ID: 6.2

The exploitation of a public-facing application indicates that security patches may not have been applied timely, violating the requirement to protect systems from known vulnerabilities.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident suggests deficiencies in the cybersecurity policy, particularly in areas related to third-party service provider security and data protection measures.

DORA – ICT Risk Management Framework

Control ID: Article 5

The breach highlights weaknesses in the ICT risk management framework, especially concerning third-party risk management and data security controls.

CISA ZTMM 2.0 – Data Security

Control ID: 3.1

The unauthorized access and exfiltration of sensitive data indicate a failure to implement adequate data security measures aligned with zero trust principles.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident reveals shortcomings in implementing appropriate cybersecurity risk management measures, particularly in securing third-party services and protecting sensitive data.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Computer Games

Gaming companies face ransomware threats targeting third-party survey platforms, exposing employee data including financial information and personal details.

Health Care / Life Sciences

WebMD subsidiary breach demonstrates healthcare sector vulnerability to extortion attacks compromising employee engagement platforms and HIPAA-regulated data systems.

Human Resources/HR

HR service providers like TinyPulse present critical attack vectors for ransomware groups seeking employee personal data, surveys, and organizational intelligence.

Information Technology/IT

Third-party IT service breaches enable lateral movement and data exfiltration, requiring enhanced zero trust segmentation and egress security controls.

Sources

Nintendo confirms data stolen in WebMD subsidiary cyberattackhttps://www.bleepingcomputer.com/news/security/nintendo-confirms-data-stolen-in-webmd-subsidiary-cyberattack/
Verified

Nintendo issues statement about recent data breachhttps://nintendoeverything.com/nintendo-issues-statement-about-recent-data-breach/

Verified

Nintendo Faces $2M Ransom Over Third-Party Data Breach Heisthttps://respawn.outlookindia.com/gaming/gaming-news/nintendo-faces-2m-ransom-over-third-party-data-breach-heist

Verified

Frequently Asked Questions

According to Nintendo, the breach involved internal survey content from a small subset of employees, with most information dating back several years. ShadowByt3$ claims the data includes employee names, email addresses, bank statements, and W-9 forms.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and identity-based access controls.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: While initial access may still occur, the attacker's ability to exploit the compromised service to access internal data would likely be constrained.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges within the environment would likely be limited, reducing access to sensitive information.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's ability to move laterally within the network would likely be restricted, limiting access to additional data.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish command and control channels would likely be detected and disrupted.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing the risk of data theft.

Impact (Mitigations)

The overall impact of the data breach would likely be reduced, minimizing reputational damage and protecting employee privacy.

Impact at a Glance

Affected Business Functions

Human Resources
Employee Relations

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

Internal employee survey data, including full names, email addresses, analytics, survey data, bank statements, W-9 forms with employee IDs, progress plans, and reports from 2016 to 2026.

Recommended Actions

• Implement Zero Trust Segmentation to restrict lateral movement within third-party services.
• Enforce Egress Security & Policy Enforcement to monitor and control data exfiltration attempts.
• Utilize Multicloud Visibility & Control to detect and respond to unauthorized data access across cloud environments.
• Deploy Threat Detection & Anomaly Response systems to identify and mitigate unusual activities promptly.
• Establish Secure Hybrid Connectivity to ensure encrypted and monitored communication channels between on-premises and cloud services.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Nintendo's 2026 Data Breach: A Wake-Up Call for Third-Party Security

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Exploit Public-Facing Application

Valid Accounts

Exfiltration Over Web Service

Data Encrypted for Impact

Inhibit System Recovery

Application Layer Protocol

Potential Compliance Exposure

PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Data Security

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Computer Games

Health Care / Life Sciences

Human Resources/HR

Information Technology/IT

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads