Threat Actor Demands $2M Ransom

Nintendo is facing a potential incident after a threat actor claimed to have stolen nearly a decade’s worth of internal corporate data and demanded a $2 million ransom to prevent the information from being released publicly.

While the gaming giant has not confirmed the alleged breach, Cybernews researchers reviewing samples of the leaked data say portions of the material appear credible.

“The sample contains HR data, such as pulse surveys and questionnaires about how employees are feeling at work,” researchers noted after examining files published by the threat actor.

Key takeaway from the breach

• A threat actor known as ShadowByte$ claims to have stolen approximately 859MB of Nintendo data and is demanding a $2 million ransom to prevent its release.
• The leaked samples allegedly contain employee names, corporate email addresses, workforce surveys, internal reports, performance metrics, and planning documents.
• Researchers found indicators suggesting portions of the data may be authentic, including employee survey records dating back to 2016 and references to current Nintendo employees.
• It remains unclear whether Nintendo was directly compromised or whether attackers gained access through a third-party provider such as employee engagement platform TinyPulse.
• The incident highlights the growing security risks associated with third-party business applications that store sensitive corporate and workforce data.

Inside the alleged Nintendo data incident

The threat actor, operating under the name ShadowByte$, posted the allegations on a cybercrime forum, claiming to possess approximately 859MB of internal Nintendo data and demanding a $2 million ransom to prevent its release.

According to researchers who reviewed samples published by the actor, the dataset may contain employee names, corporate email addresses, workforce engagement surveys, internal analytics, organizational performance metrics, exported reports, and planning documentation.

Researchers find signs the data may be authentic

While the full scope and authenticity of the alleged breach remain unverified, researchers identified several indicators suggesting that at least portions of the data may be legitimate.

The samples reportedly include employee engagement surveys and workplace feedback records dating back to 2016, supporting the threat actor’s claim that the stolen information spans a ten-year period through 2026.

Researchers also identified references to individuals who appear to still be employed by Nintendo, lending additional credibility to parts of the leaked dataset.

Furthermore, metadata for some exported files reportedly showed creation dates of Jan. 28, 2026, suggesting that at least some records may have been accessed or exported more recently.

Questions remain about the source of the data

Despite these findings, questions remain about how the data was obtained.

Researchers said the available samples do not provide enough evidence to determine whether Nintendo was directly compromised or whether attackers gained access through a third-party service provider that handled employee-related information.

Adding to the uncertainty, ShadowByte$ referenced TinyPulse, an employee engagement platform used by organizations to collect anonymous workforce feedback and measure employee satisfaction.

If accurate, the incident could highlight the ongoing risks associated with third-party vendors that store sensitive corporate data. As organizations increasingly rely on cloud-based business platforms, a compromise involving a trusted provider can expose information across multiple customers.

Nintendo has not publicly confirmed the threat actor’s claims at the time of publication.

Must-read security coverage

How to reduce third-party risk

Although Nintendo has not confirmed the alleged breach, security teams can use the incident as a reminder to review controls surrounding employee and HR-related platforms.

• Conduct regular security assessments of third-party HR, workforce management, and employee engagement vendors to identify and address potential risks.
• Enforce strong access controls, including multi-factor authentication (MFA), least-privilege permissions, and routine user access reviews.
• Monitor HR and SaaS platforms for unauthorized access, unusual activity, and large-scale data exports that could indicate data exfiltration.
• Implement data loss prevention (DLP) controls and encryption to protect sensitive employee information, internal reports, and organizational data.
• Minimize the collection and retention of employee feedback, survey responses, and other sensitive workforce data to reduce potential exposure.
• Establish continuous monitoring of vendor integrations, API connections, and SaaS configurations to detect security gaps and misconfigurations.
• Test incident response plans through tabletop exercises and breach simulations, including scenarios involving third-party vendor compromises.

Together, these measures can help organizations reduce their exposure to third-party risks while building resilience against future incidents.

Editor’s note: This article originally appeared on our sister publication, eSecurityPlanet.