Print 33 comment(s) - last by JimKiler.. on Jul 16 at 2:22 PM

Fortunately passwords appear to have been strongly hashed

NVIDIA Corp. (NVDA) had some bad news to announce late yesterday.  The site posted the following statement on its Forums page:

NVIDIA suspended operations of the NVIDIA Forums ( last week.

We did this in response to suspicious activity and immediately began an investigation. We apologize that our continuing investigation is taking this long. Know that we are working around the clock to ensure that secure operations can be restored.

Our investigation has identified that unauthorized third parties gained access to some user information, including:

  • username
  • email address
  • hashed passwords with random salt value
  • public-facing "About Me" profile information
NVIDIA did not store any passwords in clear text. "About Me" optional profiles could include a user’s title, age, birthdate, gender, location, interests, email and website URL – all of which was already publicly accessible.

NVIDIA is continuing to investigate this matter and is working to restore the Forums as soon as possible. We are employing additional security measures to minimize the impact of future attacks.

All user passwords for our Forums will be reset when the system comes back online. At that time, an email with a temporary password, along with instructions on how to change it, will be sent to the user’s registered email address.

As a precautionary measure, we strongly recommend that you change any identical passwords that you may be using elsewhere.

NVIDIA does not request sensitive information by email. Do not provide personal, financial or sensitive information (including new passwords) in response to any email purporting to be sent by an NVIDIA employee or representative.

NVIDIA, like Sony Corp. (TYO:6758), Nokia Oyj. (HEX:NOK1V), and others likely fell victim to an SQL injection attack.  SQL injection attacks exploit the fact that internet user databases are publicly hosted and send them malformed request strings designed to execute disallowed commands.  They can be defeated by careful programming, but implementing protections is a time intensive and expensive process, hence many companies have vulnerable databases.

[Image Source: NVIDIA Wallpapers]

NVIDIA Forums is a popular stomping ground both for gaming enthusiasts and for programmers developing GPU applications using NVIDIA's proprietary CUDA API.

The first of two major concerns arising from the NVIDIA attack is the possibility of phishing.  Now that an unknown party has users emails, it could send them messages (as the NVIDIA post alludes to), trying to trick them into providing their password in plaintext or other personal details.

The second danger is the possibility that the hashed passwords could be cracked.  NVIDIA did not reveal what hashing algorithm it used, but the fact that it used a random salt value indicates that its passwords were likely relatively strongly hashed.

The announcement was actually the second major announcement of a SQL injection breach on Thursday.  Earlier, Yahoo! Inc. (YHOO) announced that hackers had found 453,000 of its user passwords.  Yahoo! was less fortunate than NVIDIA -- baffingly it decided to store its user passwords in plaintext, greatly increasing the potential damage to its users.

Source: NVIDIA Forums

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

I'm cursed - this is the sixt time in a year!
By BZDTemp on 7/13/2012 8:31:42 PM , Rating: 2
It is like where ever I've registered it is hacked and I'm always on the victim list. Luckily I haven't been using duplicate passwords and the mail address used is one for non-essential stuff but still this is getting old.

It is a scandal that companies have not yet gotten their security fixed - it's not like the guys at say Nvidia can claim they haven't heard of something like this happening.

By StevoLincolnite on 7/13/2012 9:40:17 PM , Rating: 3
It is a scandal that companies have not yet gotten their security fixed

The problem though is that regardless of what security measures are in place, it can always be broken or by-passed.

Case in point, you put iron bars on the windows of your home to stop intruders, just smash through the walls instead if it ain't brick.

It's an endless cycle of improving security as hackers get smarter.

By 440sixpack on 7/14/2012 1:24:42 PM , Rating: 2
Exactly, and it's allocation of resources too. Would you rather Nvidia were spending its time and money always working on their security, or making better video chips? They just have to decide where in the risk/reward area those activities fall.

"A politician stumbles over himself... Then they pick it out. They edit it. He runs the clip, and then he makes a funny face, and the whole audience has a Pavlovian response." -- Joe Scarborough on John Stewart over Jim Cramer

Most Popular ArticlesSmartphone Screen Protectors – What To Look For
September 21, 2016, 9:33 AM
UN Meeting to Tackle Antimicrobial Resistance
September 21, 2016, 9:52 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM
5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
Update: Problem-Free Galaxy Note7s CPSC Approved
September 22, 2016, 5:30 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki