Nintendo confirms data stolen in WebMD subsidiary cyberattack

Nintendo of America confirmed that threat actors stole employee survey data during a cyberattack on TinyPulse, a third-party feedback platform the company uses internally. The breach did not compromise Nintendo's own systems.

TinyPulse, owned by WebMD parent company Ziff Davis, experienced a security incident that exposed data from multiple enterprise clients. Nintendo stated that attackers accessed survey responses collected through the platform but emphasized that the intrusion remained isolated to TinyPulse's infrastructure.

The stolen data consisted of internal employee feedback and survey information rather than customer data or proprietary gaming assets. Nintendo clarified that no financial information, user credentials, or sensitive corporate systems were compromised in the incident.

This breach exemplifies a common attack vector targeting organizations through vulnerable third-party service providers. Companies increasingly rely on cloud-based software-as-a-service platforms for human resources, employee engagement, and feedback collection. These external services create potential security gaps when providers fail to implement adequate defenses or patch known vulnerabilities.

Ziff Davis operates multiple consumer and enterprise properties beyond WebMD, making the scope of affected organizations potentially extensive. Companies relying on TinyPulse should assume their employee data may have been exposed and review data retention policies with the vendor.

For Nintendo specifically, the containment to external systems limits reputational risk. However, the incident reinforces that even large corporations with mature security programs cannot fully control threats originating from trusted vendors. Organizations should implement data minimization practices with third-party platforms, requiring vendors to encrypt sensitive information and maintain audit logs.

Affected companies should monitor for misuse of employee data, including targeted phishing campaigns or social engineering attempts leveraging insider knowledge. TinyPulse customers warrant notification of exactly which data fields were accessed and should demand the vendor provide breach forensics and evidence of remediation.