Man in black hood working showing Pokémon Developer data breach

Pokémon Developer Game Freak’s Data Breach Includes Thousands of Employee Records, Internal Nintendo Secrets

Pokémon developer Game Freak has confirmed that it suffered a major data breach in August that involved both employee records and confidential business information from partner company Nintendo.

2,606 employees of the company, current and former as well as contract workers, had names and email addresses exposed to hackers. The items that have made bigger headlines thus far are the Nintendo corporate secrets that were stolen, such as information about the company’s next console and upcoming Pokémon games.

Data breach reveals some Nintendo plans for the future

The Pokémon developer has confirmed that the data breach took place about two months ago and was the result of illegal access to the company’s internal network.

Rumors have been swirling about Nintendo’s forthcoming sequel to the highly popular Switch console, which has been given the unofficial moniker of “Switch 2” by fans. It turns out that, at least if the data breach is to be believed, the planned name for the system at the moment is “Ounce.”

Game Freak is also reportedly working on the 10th generation Pokémon game, calling the two versions “K” and “N” internally, and planning to release it for both the Switch and its successor. The leaks also mention a separate game called “Synapse” that appears to be a multiplayer online Pokémon title.

The leak may have also contained the source code for some of the Pokémon developer’s older titles for the Nintendo DS system. And the company appears to have been planning sequels to its “Detective Pikachu” film at one time, with the original idea being a trilogy whose next title would have come out sometime this year. It also may be, or at least have been in, talks with Netflix to develop a new Pokémon TV series.

Most of the internal business information that was leaked appears to be similar insider info about IP that was discussed in company meetings. There is little word of damaging financial information. The Pokémon developer also does not appear to have lost any more sensitive information than the work email addresses of employees, making the whole data breach more of a point of interest for Nintendo fans. The Pokémon Company, which is jointly owned by Nintendo and Game Freak, does not appear to be impacted.

Pokémon developer data breach recalls 2020 “Gigaleak”

A machine-translated statement from the Pokémon developer indicated that it has made server improvements in response to the attack, but provided almost nothing in the way of detail about how it happened. Japan’s current data breach laws obligate business victims to report leaks of personal information to its data protection commission and data subjects if they could harm the interests or rights of individuals, or if they might cause financial damage. It is not clear that this breach meets this standard of seriousness given that it only contained work email addresses paired with names, but it does meet the standards of involving at least 1,000 data subjects and being leaked by “wrongful purpose.” Regardless of the circumstances a breach notification is only required to indicate that investigations and/or preventive measures have been initiated, so we may not see any more official word on exactly how the data breach happened.

The data breach has yet to be claimed by anyone, leaving open the possibility that it was an inside job. The leaked materials began appearing on one of 4Chan’s message boards in early October, and that appears to have been the first indication of the breach. The total leak appears to contain gigabytes of information, but the social media communities that have dedicated themselves to poring through it indicate it is mostly internal meetings about games and hardware and assorted design materials that date back through years of the Pokémon developers work.

The hack on the Pokémon developer is very reminiscent of 2020’s “Gigaleak,” which also involved hackers that did not appear to be interested in profit leaking internal materials to 4Chan. The source of that data breach also has yet to be confirmed but has been narrowed to most likely being either a Nintendo third-party contractor or a rogue Malwarebytes employee who was sentenced for hacking Microsoft and other companies in 2019. That leak also centered on private materials from older outdated systems, going back as far as the Game Boy Color and Super Nintendo, and was mostly of interest to preservationists and hardcore video game fans. This data breach has not been connected to that older leak, with the party that uploaded materials to 4Chan stating that it was an entirely separate incident.

Nintendo has also struggled with recent leaks that appear to be coming from internal sources. A series of leaks about upcoming titles and Switch 2 development earlier this year was traced to contractors with access to company social media accounts, and prompted an announcement at a shareholders meeting in June that the company would be boosting its internal security.