Nintendo responds after alleged third-party data breach

Nintendo of North America says it’s aware of what’s been described as a small third-party data breach affecting some of its employees.

“Nintendo’s systems have not been compromised,” the company told Mashable in a statement, acknowledging that a third-party service was affected by an “issue.”

Earlier this week, a hacking group calling itself ShadowByte$ posted a threat on a “well-known cybercrime forum,” according to CyberNews. The group alleged it stole 859MB of internal corporate data from a third-party service called TinyPulse, which collects employee feedback for companies.

The stolen data reportedly includes the results of employee satisfaction surveys, private messages, and the names of Nintendo employees. According to a LinkedIn profile, TinyPulse is part of WebMD Health Services.

The hacking group reportedly issued a $2 million ransomware demand to prevent the release of the data. Per Kotaku, after failing to get results with Nintendo, the extortion group reportedly tried its luck with TinyPulse as well. However, Nintendo downplayed the sensitivity of the data, telling Mashable the alleged TinyPulse breach is “limited to internal survey content comprising a small subset of our employees.”

We are aware of an issue involving TinyPulse, a third-party service used for internal employee surveys at Nintendo of America. Nintendo’s systems have not been compromised, and no personal customer or financial data has been accessed. The data involved is limited to internal survey content comprising a small subset of our employees, and most of the information dates back several years.   

We appreciate our employees’ willingness to share their perspectives, take all feedback seriously, and take action when needed. We are working with the service provider to address the issue.

In recent years, ransomware-as-a-service tools have made it easier for bad actors — even those without sophisticated coding or hacking skills — to obtain sensitive data from companies and individuals.

Mashable reached out to WebMD Health Services about the alleged TinyPulse data breach, and we’ll update this story if we receive more information.