Nintendo is facing a potential incident after a threat actor claimed to have stolen nearly a decade’s worth of internal corporate data and demanded a $2 million ransom to prevent the information from being released publicly.

While the gaming giant has not confirmed the alleged breach, Cybernews researchers reviewing samples of the leaked data say portions of the material appear credible.

“The sample contains HR data, such as pulse surveys and questionnaires about how employees are feeling at work,” researchers noted after examining files published by the threat actor.

Key takeaway from the breach

• A threat actor known as ShadowByte$ claims to have stolen approximately 859MB of Nintendo data and is demanding a $2 million ransom to prevent its release.
• The leaked samples allegedly contain employee names, corporate email addresses, workforce surveys, internal reports, performance metrics, and planning documents.
• Researchers found indicators suggesting portions of the data may be authentic, including employee survey records dating back to 2016 and references to current Nintendo employees.
• It remains unclear whether Nintendo was directly compromised or whether attackers gained access through a third-party provider such as employee engagement platform TinyPulse.
• The incident highlights the growing security risks associated with third-party business applications that store sensitive corporate and workforce data.

Inside the alleged Nintendo data incident

The threat actor, operating under the name ShadowByte$, posted the allegations on a cybercrime forum, claiming to possess approximately 859MB of internal Nintendo data and demanding a $2 million ransom to prevent its release.

According to researchers who reviewed samples published by the actor, the dataset may contain employee names, corporate email addresses, workforce engagement surveys, internal analytics, organizational performance metrics, exported reports, and planning documentation.

Researchers find signs the data may be authentic

While the full scope and authenticity of the alleged breach remain unverified, researchers identified several indicators suggesting that at least portions of the data may be legitimate.

The samples reportedly include employee engagement surveys and workplace feedback records dating back to 2016, supporting the threat actor’s claim that the stolen information spans a ten-year period through 2026.

Researchers also identified references to individuals who appear to still be employed by Nintendo, lending additional credibility to parts of the leaked dataset.

Furthermore, metadata for some exported files reportedly showed creation dates of Jan. 28, 2026, suggesting that at least some records may have been accessed or exported more recently.

Questions remain about the source of the data

Despite these findings, questions remain about how the data was obtained.

Researchers said the available samples do not provide enough evidence to determine whether Nintendo was directly compromised or whether attackers gained access through a third-party service provider that handled employee-related information.

Adding to the uncertainty, ShadowByte$ referenced TinyPulse, an employee engagement platform used by organizations to collect anonymous workforce feedback and measure employee satisfaction.

If accurate, the incident could highlight the ongoing risks associated with third-party vendors that store sensitive corporate data. As organizations increasingly rely on cloud-based business platforms, a compromise involving a trusted provider can expose information across multiple customers.

Nintendo has not publicly confirmed the threat actor’s claims at the time of publication.

Must-read security coverage

How to reduce third-party risk

Although Nintendo has not confirmed the alleged breach, security teams can use the incident as a reminder to review controls surrounding employee and HR-related platforms.

• Conduct regular security assessments of third-party HR, workforce management, and employee engagement vendors to identify and address potential risks.
• Enforce strong access controls, including multi-factor authentication (MFA), least-privilege permissions, and routine user access reviews.
• Monitor HR and SaaS platforms for unauthorized access, unusual activity, and large-scale data exports that could indicate data exfiltration.
• Implement data loss prevention (DLP) controls and encryption to protect sensitive employee information, internal reports, and organizational data.
• Minimize the collection and retention of employee feedback, survey responses, and other sensitive workforce data to reduce potential exposure.
• Establish continuous monitoring of vendor integrations, API connections, and SaaS configurations to detect security gaps and misconfigurations.
• Test incident response plans through tabletop exercises and breach simulations, including scenarios involving third-party vendor compromises.

Together, these measures can help organizations reduce their exposure to third-party risks while building resilience against future incidents.

Editor’s note: This article originally appeared on our sister publication, eSecurityPlanet.

The U.S. government’s enforcement letter to Anthropic, which effectively forced the company to pull its latest AI models offline just before the weekend, should be a wake-up call for any U.S. tech company — AI lab or otherwise. 

To catch you up on the news blitz: On Friday afternoon, the U.S. Commerce Department sent Anthropic a letter invoking an obscure export control directive that banned non-Americans, including Anthropic’s employees, from accessing Fable 5 and Mythos 5, citing an unspecified national security concern. Anthropic said it believes the letter is related to a bypass of the model’s guardrails, but isn’t sure because the letter doesn’t provide specific details. The letter has not been made public.

In response, Anthropic shut down both of its top models to all customers to ensure that it complied with the directive. The result was that the U.S. government successfully forced a tech company to pull its models offline with a swift and unilateral action that didn’t appear to require court approval.

Friday’s intervention by the Trump administration shows that the AI industry is not immune to government interference. It’s also a warning to the wider tech industry: comply, or we can shut you and your products down. 

Citing sources, Axios described a tense situation over the weekend between the two major players, saying that the “personality differences” between Anthropic and the Trump administration led to the export directive, rather than a technical issue with the AI products.

New details about the issue that emerged over the weekend now cast further doubt on the government’s already shaky reasoning.

Katie Moussouris, a cybersecurity veteran and researcher who founded Luta Security, said in a blog post that Anthropic recently shared with her a private copy of a paper written by security researchers describing an alleged guardrail bypass in Fable 5. (The Wall Street Journal reports that the paper’s authors are security researchers at Amazon.) Moussouris said that Anthropic reached out to ask for her take on the paper.

Moussouris’ blog post described how the researchers triggered the guardrail bypass, but said that the bypass itself “should never have triggered an export control.” The difference is largely between asking an AI model to “review code for security issues” versus asking it to “fix this code.” The end result is largely the same, even if the questions are posed slightly differently.

“The behavior described in the paper cannot meaningfully be fixed, and any attempt would only weaken the model for defense,” said Moussouris, who criticized the export control directive as hasty, heavy-handed, and misguided.

Moussouris and dozens of other top security researchers and experts have since called on the Trump administration to revoke the export control order, calling the move to pull advanced cybersecurity capabilities from network defenders in the U.S. as “dangerous.”

Past administrations have made sweeping decisions on knowledge gaps. For instance, language used by the U.S. government during the 2010s to fix export law covering cybersecurity tools that could also be used for cyberattacks was so broad that it inadvertently near-outlawed legitimate security and vulnerability research.

However, the Trump administration’s directive appears retaliatory.

Justin Hendrix, the editor of Tech Policy Press, said the Trump administration’s move is “likely to raise alarms in foreign capitals about the reliability of American AI for critical applications.” The message is that AI companies in the United States can’t be trusted to operate without interference from the U.S. government.

The Trump administration hasn’t confirmed why it invoked its export control directive. Did the officials misread the report and freak out? Did Amazon CEO Andy Jassy say something to senior government officials that prompted the reaction, out of caution or spite? Was something lost in translation, or was this a way to pressure Anthropic, with whom the administration already has a fractious relationship? It’s possible that the White House was unaware of the far-reaching consequences of the letter’s demand and officials are scrambling to undo the damage of their own making.

To quote Hendrix, “the climate is one of a cloud of suspicion that senior officials are picking favorites based on personal and political factors.” The aftermath is that the government has set a dangerous precedent about how much control it intends to wield over the release of American-made software.

This time the government took issue with Anthropic; tomorrow it could be with anyone else.

Fox is buying its way deeper into the streaming interface.

The TV corporation is adding another free streaming platform to its roster with the $22 billion purchase of Roku. Announced on June 15, the deal combines Roku, which has 100 million subscribers on its ad-supported The Roku Channel video streaming service, with Fox’s Tubi, another ad-supported service with close to 100 million subscribers.

Fox also gains control of the leader in the smart TV device market, with 32% market share in the US connected TV market ahead of Amazon, Apple, and Samsung, according to Pixalate. This brings in a new revenue stream for Fox, as a key distribution platform for TV shows, movies, and streaming platforms, and could allow them to promote their own programming ahead of rivals.

Roku’s ad platform is the real cash cow

Roku may be best known for its connected TVs and streaming sticks, but those products accounted for less than a quarter of the company’s revenue in 2025.

Amazon, Google, and Xiaomi have flooded the market with cheap streaming sticks — for under $40 — making it hard for Roku to generate consistent revenue. The main segment, which brought in $4.1 billion in 2025, comes primarily from ads sold on The Roku Channel, as well as sponsored placements on the Roku interface.

This is what Fox is paying so much for, as ad-supported streaming platforms have grown rapidly over the last few years. Consumers are looking for cheaper ways to watch TV shows and movies, with Netflix, HBO Max, and Disney+ all introducing cheaper ad-supported subscription tiers. Roku and Tubi compete with YouTube, TikTok, and other freemium video services.

What’s hot at TechRepublic

Roku and Tubi to remain separate… for now

Even though The Roku Channel and Tubi are very similar, Fox has said it will not merge them.

“If you look at Tubi and the Roku channel together, they are incredibly complementary services,” Fox Corporation CEO Lachlan Murdoch said on an investor call, per The Hollywood Reporter. “There’s about a third overlap between the audience, between the two of them, so that they’re not identical audiences. Bringing the two of them together effectively triples the reach of the combined service.”

That said, sentiment can change quickly. When Disney originally acquired most of Hulu, it said the two platforms were complementary, but it has been itching ever since to fully take over Hulu and merge the two to create a streaming powerhouse. The same may happen to The Roku Channel and Tubi over time.

Even though it is unlikely to face the same regulatory heat as the Warner Bros, Netflix, and Paramount buyout drama, especially in the current political climate, there will still be a period for both sides to file antitrust and competition filings. With Roku holding a dominant position as a streaming distributor, Fox may need to sign agreements allowing rivals to be featured on the platform and to retain some access to Roku’s physical remote control buttons.

Fox expects to close the deal in the first half of 2027.

Related reading: Google made a similarly massive bet on cybersecurity earlier this year, agreeing to acquire cloud security firm Wiz for $32 billion in the largest tech deal in Israeli history.