NVIDIA: We've Been Hacked, User Records Lost
July 13, 2012 6:00 PM
comment(s) - last by
Fortunately passwords appear to have been strongly hashed
NVIDIA Corp. (
) had some bad news to announce late yesterday. The site
the following statement on its Forums page:
NVIDIA suspended operations of the NVIDIA Forums (forums.nvidia.com) last week.
We did this in response to suspicious activity and immediately began an investigation. We apologize that our continuing investigation is taking this long. Know that we are working around the clock to ensure that secure operations can be restored.
Our investigation has identified that unauthorized third parties gained access to some user information, including:
hashed passwords with random salt value
public-facing "About Me" profile information
NVIDIA did not store any passwords in clear text. "About Me" optional profiles could include a user’s title, age, birthdate, gender, location, interests, email and website URL – all of which was already publicly accessible.
NVIDIA is continuing to investigate this matter and is working to restore the Forums as soon as possible. We are employing additional security measures to minimize the impact of future attacks.
All user passwords for our Forums will be reset when the system comes back online. At that time, an email with a temporary password, along with instructions on how to change it, will be sent to the user’s registered email address.
As a precautionary measure, we strongly recommend that you change any identical passwords that you may be using elsewhere.
NVIDIA does not request sensitive information by email. Do not provide personal, financial or sensitive information (including new passwords) in response to any email purporting to be sent by an NVIDIA employee or representative.
), and others likely fell victim to an SQL injection attack. SQL injection attacks exploit the fact that internet user databases are publicly hosted and send them malformed request strings designed to execute disallowed commands. They can be defeated by careful programming, but implementing protections is a time intensive and expensive process, hence many companies have vulnerable databases.
[Image Source: NVIDIA Wallpapers]
NVIDIA Forums is a popular stomping ground both for gaming enthusiasts and for programmers developing GPU applications using
NVIDIA's proprietary CUDA API
The first of two major concerns arising from the NVIDIA attack is the possibility of phishing. Now that an unknown party has users emails, it could send them messages (as the NVIDIA post alludes to), trying to trick them into providing their password in plaintext or other personal details.
The second danger is the possibility that the hashed passwords could be cracked. NVIDIA did not reveal what hashing algorithm it used, but the fact that it used a random salt value indicates that its passwords were likely relatively strongly hashed.
The announcement was actually the second major announcement of a SQL injection breach on Thursday. Earlier, Yahoo! Inc. (
) announced that hackers had
found 453,000 of its user passwords
. Yahoo! was less fortunate than NVIDIA -- baffingly it decided to store its user passwords in plaintext, greatly increasing the potential damage to its users.
This article is over a month old, voting and posting comments is disabled
7/13/2012 11:38:33 PM
It's long been my experience that 9/10 database developers know quite little about SQL, so I'd assume those hosting the databases know even less.
It really isn't that complicated. I took a SQL 2005 (v5.5) class at a community college nearly a decade ago and can still securely deploy and upgrade older databases to SQL 2008. Not much has changed, in fact, they've actually tightened it down since its introduction in Windows NT, forcing you to perform a secure deployment (unless you stick with legacy compatibility)
But as OP said, it isn't completely a SQL problem, it's the link (or LINQ) from another program that leaves the holes.
7/16/2012 10:22:22 AM
It's more like more often than not companies would rather not revamp existing systems that sometiems are older than 10 years. hindsight is 20/20, but getting approval to correct a security loophole you weren't privy to as a community at the time or wasn't as much of an issue back them is not the easiest thing.
Esp if you have to get approval from shareholders at any given moment.
Don't get me wrong, fixing this stuff is essential... there's just reasons why it persists to this day and will for a few years more.
"What would I do? I'd shut it down and give the money back to the shareholders." -- Michael Dell, after being asked what to do with Apple Computer in 1997
Yahoo Loses 453,000 User Passwords to Hackers
July 12, 2012, 4:45 PM
Nokia is the Victim of SQL Injection, Loses Developer Records
August 29, 2011, 8:37 AM
LulzSec Strikes Again, 1M Sony Pictures User Accounts Compromised
June 2, 2011, 6:27 PM
NVIDIA Names GTX 480, GTX 470 as First GF100 Video Cards
February 2, 2010, 10:35 AM
Rosewill Releases 3 New Powerline Networking Adapters
May 21, 2013, 4:29 PM
German Researchers Test 40 Gbps Wireless Broadband
May 21, 2013, 11:01 AM
Qualcomm, Samsung Push AMD to Fourth Place in Processor Market
May 21, 2013, 7:50 AM
Supermicro Looks to Shake Up Server Market
May 20, 2013, 9:00 PM
HiPerGator Supercomputer is Florida's Most Powerful Supercomputer
May 17, 2013, 7:08 AM
5/7/2013 Daily Hardware Reviews
May 7, 2013, 12:02 PM
Most Popular Articles
High School Student Creates Storage Device that Can Charge in 20 Seconds
May 20, 2013, 6:51 AM
Google Announces "Pure" Galaxy Nexus S4 for $649, Android Updates
May 15, 2013, 1:42 PM
Seawater Cooling Saves Data Center Big Bucks, Energy, Despite Jellyfish Issues
May 17, 2013, 3:23 PM
U.S. Federal Traffic Board Wants to Make Drunk Driving Threshold Far Harsher
May 15, 2013, 11:32 AM
Newegg Legal Chief: "We don't Feed the Trolls"; Defeats Bell Lab Shell Comp.
May 17, 2013, 10:11 AM
Latest Blog Posts
Quick Note: Sony "Teases" PS4 Ahead of Xbox Reveal in New Video
May 20, 2013, 12:33 PM
Nokia Introduces Instagram-Like App of Its Own to Help Lumia Sales
May 20, 2013, 7:10 AM
Parents of Pre-Teen Drivers Commonly Practice Distracted Driving Says Study
May 9, 2013, 7:16 AM
Apple's iOS 7 Running Into Internal Delays Due to Massive Overhaul
May 1, 2013, 4:26 PM
Elon Musk Willing to Spend More Money on Widening of 405 Freeway
Apr 26, 2013, 7:28 PM
More Blog Posts
Copyright 2013 DailyTech LLC. -
Terms, Conditions & Privacy Information