Nintendo of America Employee Data Stolen in TinyPulse Third-Party Breach
Nintendo of America confirmed on June 18, 2026, that internal employee survey data was stolen from TinyPulse, a third-party employee engagement SaaS solution owned by WebMD Health Services. The 'Shadowbyt3$' extortion group claimed responsibility, stating they exfiltrated approximately 1GB of data, including employee names, email addresses, analytics, survey data, bank statements, and W-9 forms. Nintendo's own systems and customer data were not compromised.
Signal context
First seen: Jun 18, 2026
Last updated: Jun 25, 2026
Status: Public signal
Key points
- Nintendo of America confirmed data theft on June 18, 2026.
- Data was stolen from TinyPulse, a third-party SaaS provider used by Nintendo.
- The 'Shadowbyt3$' extortion group claimed responsibility for the breach.
Signal analysis
BetaThis analysis groups the signal by industry, likely incident action and impacted security area. It helps compare this signal with other published signals without treating the labels as final determinations.
Sector: Finance and Insurance
Likely country: Location not provided
The feed marks multiple actor roles. Treat this as a review signal rather than a final attribution.
- Source type: outside the affected organization
- Source type: possible insider or internal misuse
Impact area: Confidentiality
Likely asset: User or customer data
- 26 signals in the same sector
- 95 signals with the same likely impact area
- 1 signal linked to this organization/domain
External sources
June 2026 Data Breaches: List Major Incidents & Latest Updates - SharkStrikerhttps://sharkstriker.com/blog/june-2026-data-breaches/Public source from sharkstriker.com.
AI-Driven Threats, Zero-Days, and Data Breaches Define This Week in Cybersecurity for June 2026 | eSecurity Planethttps://www.esecurityplanet.com/weekly-roundup/ai-driven-threats-zero-days-and-data-breaches-define-this-week-in-cybersecurity-for-june-2026/Public source from esecurityplanet.com.
Nintendo confirms data stolen in WebMD subsidiary cyberattack - Bleeping Computerhttps://www.bleepingcomputer.com/news/security/nintendo-confirms-data-stolen-in-webmd-subsidiary-cyberattack/Public source from bleepingcomputer.com.
Nintendo confirms employee survey data stolen from third-party service | brief | SC Mediahttps://www.scmagazine.com/brief/nintendo-confirms-employee-survey-data-stolen-from-third-party-servicePublic source from scmagazine.com.
Related signals
Grouped by why the signal is relevant.
Xsolis Data Breach Affects Nearly 1.4 Million Individuals
Healthcare technology company Xsolis disclosed a data breach impacting approximately 1.4 million individuals. The incident stemmed from a targeted phishing attack on January 20, 2026, which led to unauthorized access to a limited portion of the Xsolis environment. Exposed data includes names, dates of birth, Social Security numbers, health insurance information, and medical treatment information. Xsolis provides AI-powered solutions for healthcare providers and payers.
London Hydro Discloses Data Breach Affecting Customer Information
Canadian electricity provider London Hydro announced a data breach that potentially impacted the personal and account information of its customers. The exposed data may include names, addresses, email addresses, phone numbers, account and billing numbers, service addresses, pricing plans, contract dates, and meter numbers. The utility became aware of suspicious activity on a customer account on June 18, 2026, and an investigation determined a system vulnerability was exploited. No financial or other sensitive information like dates of birth or government IDs were compromised.
American Express Insider Data Breach Reported
American Express was involved in an insider data breach where an employee accessed the personal financial information of an individual. An investigation by the Australian Privacy Commissioner found the company breached privacy laws by failing to implement adequate restrictions on staff access to customer accounts.
NAIC Confirms Cyberattack on Oracle PeopleSoft Systems by ShinyHunters
The National Association of Insurance Commissioners (NAIC) confirmed a cyberattack on its Oracle PeopleSoft systems, part of a broader campaign by ShinyHunters exploiting CVE-2026-35273 between May 27 and June 9, 2026. The breach exposed publicly available statutory financial reporting information and credit rating agency data.
SoFi Hong Kong Confirms Third-Party Data Breach
SoFi Hong Kong, a subsidiary of the financial technology company SoFi, confirmed a data breach after hackers gained unauthorized access to a database at a third-party vendor containing customer information. The company is advising customers to update passwords, enable two-factor authentication, and monitor their accounts.
DentaQuest Data Breach Exposes Information of 2.6 Million Accounts
Dental benefits administrator DentaQuest confirmed a cybersecurity incident that led to unauthorized access to a portion of its network. The ShinyHunters extortion group claimed responsibility, publishing over 230 gigabytes of data allegedly stolen from DentaQuest. The leaked data impacts approximately 2.6 million accounts and includes names, addresses, email addresses, phone numbers, dates of birth, government-issued IDs, health insurance information, and Medicaid IDs. A class-action lawsuit investigation was announced on June 5, 2026.