NVIDIA: We've Been Hacked, User Records Lost
July 13, 2012 6:00 PM
comment(s) - last by
Fortunately passwords appear to have been strongly hashed
NVIDIA Corp. (
) had some bad news to announce late yesterday. The site
the following statement on its Forums page:
NVIDIA suspended operations of the NVIDIA Forums (forums.nvidia.com) last week.
We did this in response to suspicious activity and immediately began an investigation. We apologize that our continuing investigation is taking this long. Know that we are working around the clock to ensure that secure operations can be restored.
Our investigation has identified that unauthorized third parties gained access to some user information, including:
hashed passwords with random salt value
public-facing "About Me" profile information
NVIDIA did not store any passwords in clear text. "About Me" optional profiles could include a user’s title, age, birthdate, gender, location, interests, email and website URL – all of which was already publicly accessible.
NVIDIA is continuing to investigate this matter and is working to restore the Forums as soon as possible. We are employing additional security measures to minimize the impact of future attacks.
All user passwords for our Forums will be reset when the system comes back online. At that time, an email with a temporary password, along with instructions on how to change it, will be sent to the user’s registered email address.
As a precautionary measure, we strongly recommend that you change any identical passwords that you may be using elsewhere.
NVIDIA does not request sensitive information by email. Do not provide personal, financial or sensitive information (including new passwords) in response to any email purporting to be sent by an NVIDIA employee or representative.
), and others likely fell victim to an SQL injection attack. SQL injection attacks exploit the fact that internet user databases are publicly hosted and send them malformed request strings designed to execute disallowed commands. They can be defeated by careful programming, but implementing protections is a time intensive and expensive process, hence many companies have vulnerable databases.
[Image Source: NVIDIA Wallpapers]
NVIDIA Forums is a popular stomping ground both for gaming enthusiasts and for programmers developing GPU applications using
NVIDIA's proprietary CUDA API
The first of two major concerns arising from the NVIDIA attack is the possibility of phishing. Now that an unknown party has users emails, it could send them messages (as the NVIDIA post alludes to), trying to trick them into providing their password in plaintext or other personal details.
The second danger is the possibility that the hashed passwords could be cracked. NVIDIA did not reveal what hashing algorithm it used, but the fact that it used a random salt value indicates that its passwords were likely relatively strongly hashed.
The announcement was actually the second major announcement of a SQL injection breach on Thursday. Earlier, Yahoo! Inc. (
) announced that hackers had
found 453,000 of its user passwords
. Yahoo! was less fortunate than NVIDIA -- baffingly it decided to store its user passwords in plaintext, greatly increasing the potential damage to its users.
This article is over a month old, voting and posting comments is disabled
7/13/2012 7:17:27 PM
Im happy to see NVIDIA Man up on it. I'm a bit confused what hackers would be after on NVIDIA and it sounds like NVIDIA was doing the right thing by encrypting.
As a general practice users shouldn't use the same login/password across sites.
Id even recommend purchasing your own domain and using a catch all email account and having different e-mail addresses. Also tells you which sites sell your info as spam.
I haven't purchased an NVIDIA product in a while and Ill say this wont effect me in any negative way from purchasing from them in the future if I choose to.
RE: Thanks NVIDIA
7/14/2012 10:21:08 AM
I think the article is a bit unfair to compare this to yahoo's. It does mention the passwords were hashed with random salts, but in my opinion the yahoo system had no place being used on the internet period. It's totally irresponsible.
Nvidia used hashed passwords and a random salt, which is about the best you can do right now. Quite a difference.
SQL injection is preventable as others have pointed out, so it's still bad, but it's alot easier to be unaware you have a sql injection vulnerability than to be unaware you have plain text passwords.
Anyways, I got an email from nvidia yesterday...
RE: Thanks NVIDIA
7/14/2012 3:38:04 PM
At this point, it really depends on the hash used. All a salt does is prevent the use of rainbow tables.
If it was MD5, these passwords have been decrypted, salt or no salt.
If it was a single pass of SHA512, then, maybe some of them can be decrypted in the coming months.
If it was .1 seconds worth of computation time on an average CPU (1000+ passes of SHA512 hashing), the passwords are likely safe for a few years.
RE: Thanks NVIDIA
7/15/2012 12:21:56 PM
I used to think that. But then I read up something Jeff Atwood posted...
Ultimately it depends on how the nvidia forums hashed their password. SHA512 isn't really safe, and neither is salting. If hackers gained the password db, it's a good bet they might also have gained the salt values, which makes salting worthless. Given the speed at which modern (and ironically, NVidia) GPUs can process most hashing algorithms, it's only a matter of less time than you think of hacking. The only security you have, then, is making a gigantically long password.
"Let's face it, we're not changing the world. We're building a product that helps people buy more crap - and watch porn." -- Seagate CEO Bill Watkins
Yahoo Loses 453,000 User Passwords to Hackers
July 12, 2012, 4:45 PM
Nokia is the Victim of SQL Injection, Loses Developer Records
August 29, 2011, 8:37 AM
LulzSec Strikes Again, 1M Sony Pictures User Accounts Compromised
June 2, 2011, 6:27 PM
NVIDIA Names GTX 480, GTX 470 as First GF100 Video Cards
February 2, 2010, 10:35 AM
Laptop or Tablet - Which Do You Prefer?
September 20, 2016, 6:32 AM
Microsoft Surface Pro 3 - Battery Issue Fixed
August 30, 2016, 6:30 AM
First Apple Computer Auctions for $815,000
August 27, 2016, 7:51 AM
Lenovo vs. Asus vs. HP - Best Laptop Under $500.00
August 19, 2016, 4:00 AM
Best Router for Your Home Network (Under $200.00)
August 6, 2016, 9:51 PM
5 Top Rated Printers for Home or Small Office
July 29, 2016, 10:44 PM
Most Popular Articles
Update: Problem-Free Galaxy Note7s CPSC Approved
September 22, 2016, 5:30 AM
FDA Cleared, Shockwave Lithoplasty for Peripheral Vascular Disease
September 22, 2016, 5:45 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM
Are you ready for this ? HyperDrive Aircraft
September 24, 2016, 9:29 AM
Smartphone Screen Protectors – What To Look For
September 21, 2016, 9:33 AM
Latest Blog Posts
Burlington Gun Attack
Sep 27, 2016, 5:00 AM
Who is in Risk of Getting Oral Cancer?
Sep 23, 2016, 6:02 AM
France Bans Plastic Eating Utensils in Restaurants
Sep 18, 2016, 10:49 AM
Progress Against Acute Myeloid Leukemia
Sep 17, 2016, 5:30 AM
Apple Watch Series 2 - Number 1 in the Customer Satisfaction.
Sep 7, 2016, 6:19 PM
More Blog Posts
Copyright 2016 DailyTech LLC. -
Terms, Conditions & Privacy Information