Hackers demand $2M from Nintendo over a data breach
A threat actor is demanding $2 million from Nintendo after allegedly stealing a decade's worth of corporate data, while Nintendo confirms a third-party breach.

A threat actor is demanding $2 million from Nintendo after allegedly stealing a decade's worth of corporate data, while Nintendo confirms a third-party breach.
- A threat actor calling itself ShadowByte$ claims to have stolen approximately 859MB of Nintendo corporate data and is demanding a $2 million ransom to prevent the information from being released.
- The leaked samples allegedly contain sensitive internal records, including employee names, corporate email addresses, HR surveys, workplace feedback, organizational performance metrics, internal reports, and planning documentation.
- Researchers who reviewed the samples found evidence suggesting at least part of the data may be authentic, including employee engagement surveys dating back to 2016 and references to individuals who still appear to work at Nintendo.
- Nintendo confirms a third-party breach involving HR platform TinyPulse.
A threat actor is claiming to have breached the Japanese gaming giant Nintendo, alleging the theft of internal corporate data and demanding a $2 million ransom to prevent its release.
The claims surfaced on a well-known cybercrime forum. In the post, the actor stated that they possess approximately 859MB of data allegedly linked to Nintendo.
While the authenticity and full scope of the incident remain unverified, samples reviewed by our researchers suggest the leaked material may contain internal employee information.
What data was allegedly stolen?
The data samples released with the post show a range of internal corporate records, including:
- Employee names and corporate email addresses
- Internal analytics and reporting data
- Employee surveys and engagement feedback
- Exported reports
- Organizational performance metrics
- Internal planning documentation and program record
A decade of corporate data?
Cybernews researchers have reviewed the samples published by the threat actor and found what appears to be human resources-related information, including employee questionnaires, workplace feedback submissions, and internal pulse survey data.
"The sample contains HR data, such as pulse surveys and questionnaires about how employees are feeling at work," the researchers said.
The documents appear to include employee sentiment and workplace feedback collected through internal engagement programs.
The threat actor claims the records span from 2016 through 2026. Our researchers confirmed that some date back to 2016.
Metadata associated with the exported files appears to have been created on January 28th, 2026.
If accurate, this suggests the dataset may contain up to a decade of historical reporting and employee feedback information.
Our researchers were also able to identify individuals referenced in some of the survey data who still appear to be employed by Nintendo, lending credibility to at least portions of the sample.
"Some people from those pulse surveys are still at Nintendo and were identifiable, so the leak could be legitimate," one researcher noted.
According to the team, the sample alone is insufficient to determine whether attackers compromised Nintendo directly or breached a third-party HR platform.
The actor references TinyPulse, an employee engagement platform used by organizations to collect anonymous workforce feedback and measure employee satisfaction.
Nintendo confirms data breach
Cybernews reached out to Nintendo, and the company confirmed the issue involving TinyPulse, a third-party service used for internal employee surveys at Nintendo of America.
"The data involved is limited to internal survey content comprising a small subset of our employees, and most of the information dates back several years. We appreciate our employees’ willingness to share their perspectives, take all feedback seriously, and take action when needed," a Nintendo of America spokesperson said. The company said it is working with the service provider to address the issue.
Extortion groups are increasingly targeting corporate data
If proven to be legitimate, the incident reflects a broader trend among cybercriminal gangs. The gangs are increasingly choosing to steal sensitive internal data for extortion, rather than encrypting systems.
These groups threaten to publish confidential information ranging from source code and financial records to employee data.
Even when datasets do not contain customer information, internal corporate records can still provide significant value to attackers.
They can exploit the data to craft convincing phishing attacks, not to mention reputational impact for the affected company. Such internal data can also reveal how the company operates, providing valuable insights to competitors.
The gang behind the Nintendo breach claims to be going under the name ShadowByte$. They started operating around February 2026.
The gang previously claimed to have snatched data from Starbucks AWS cloud storage and demanded $500,000 from the company.
However, our researchers did not find indicators in the data samples linking the data to Starbucks.
Updated on June 17th [11:00 a.m. GMT+2] with a statement from Nintendo.
Unlock more exclusive Cybernews content on YouTube.