How Game Freak breach happened: Pokemon dev confirms data breach after private files leak online

Pokemon developer posts an announcement online

Pokemon dev Game Freak data breach

In August 2024, Game Freak, the developer behind the Pokémon series, was targeted by a cyberattack. The breach went unnoticed until October when sensitive data was leaked online. Hackers gained unauthorized access to the company’s servers, exploiting weaknesses in Game Freak's security measures. This attack, now dubbed “Teraleak,” follows in the footsteps of other major breaches in the gaming industry.

The breach revealed that the hackers stole personal data, including employee information, and internal company documents, some of which related to unreleased Pokémon titles and other intellectual property. Game Freak has acknowledged the attack and posted a public statement[1] in Japanese, which reads:[2]

October 10, 2024

Game Freak Inc.

Notice and apology regarding the leak of personal information due to unauthorized access

Game Freak Inc. (Headquarters: Chiyoda-ku, Tokyo, CEO: Satoshi Tajiri, hereinafter referred to as “the Company”) has discovered that the personal information of our employees and others was leaked in connection with unauthorized access to our server by a third party in August 2024.

We sincerely apologize for the great inconvenience and concern caused to all concerned parties.

1. Leaked personal information

Personal data regarding our employees, etc.*

Items: Name, company email address

Number of cases: 2,606

*Our employees, contracted business workers (including G-appointed employees and former employees)

2. Response to those whose personal information has been confirmed to have been leaked

We are contacting the relevant employees, etc. individually.

For those who cannot be contacted individually due to resignation, etc., we will notify them through this announcement and set up a hotline to handle inquiries regarding this matter.

3. Measures to prevent recurrence

We have already rebuilt and re-inspected our servers, but we will work to prevent recurrence by further strengthening our security measures.

4. Inquiries regarding this matter

Inquiries from those affected by this matter can be made through the hotline below.

Various intellectual and employee data stolen but, allegedly, no customer information was affected

Among the stolen data were details of 2,606 employees and contractors, including full names and company email addresses. Additionally, hackers obtained sensitive internal files, such as game source code, artwork, and development materials from both completed and upcoming projects.

Information about a new, unreleased Pokémon game and potential details about Nintendo's upcoming Switch 2 console were part of the leak​. The size of the data stolen is reported to be around 1 TB in size.

While customer data appears to have been unaffected, the leaked data also contained beta builds and materials from past Pokémon games like Pokémon HeartGold and Black 2/White 2. The massive volume of information, shared across social media platforms, raised concerns about the possible long-term impact on Game Freak’s intellectual property. Many of the designs are broadly accessible at the time of the writing.

Among the leaked data, some controversial material about undisclosed Pokémon lore was discovered and contents were described as “disturbing” by some.[3]

The impact

The breach has significantly impacted Game Freak’s operations and reputation. While the company continues to reassure the public that no customer data was compromised, the exposure of sensitive employee information, as well as upcoming game details, has left fans and the broader gaming community concerned. The leak of source code and beta materials might also pose a financial risk, as competitors and other malicious actors could potentially exploit this information.

Moreover, the leak of unfinished and unannounced projects may disrupt the development and release schedules of future Pokémon games. Game Freak has since undertaken measures to secure its servers and prevent future breaches.

Game Freak responded swiftly once the breach became public knowledge, issuing a statement on October 10, 2024, confirming the extent of the data leak. The company has already rebuilt its server infrastructure and plans to improve its security practices to prevent similar incidents. Additionally, Game Freak set up a hotline to support affected employees, particularly those who had retired or could not be contacted directly.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References
Files
Software
Compare