Nvidia has never denied that it was hacked. The GPU giant also didn’t say much about what happened.
But now — while we wait to see if the hackers live up to their threat to dump hundreds of gigabytes of proprietary Nvidia data onto the web, including details about future graphics chips, by an unspecified deadline on Friday — the compromised email alert website Have I Been Pwned suggests the scope of the hack includes as many as 71,000 employee emails and hashes that allowed the hackers to crack their passwords (via UGG†
It’s not clear how Have I Been Pwned got this information, and Nvidia won’t say. Nvidia wouldn’t confirm or deny it The edge or 71,000 employee credentials have been compromised, and it wouldn’t say whether it plans to comply with the hackers’ demands.
It’s worth noting that Nvidia has far fewer than 71,000 employees — the latest annual report lists 18,975 employees in 29 countries, although it’s possible the compromised email addresses contained former employees and aliases for groups of employees. (Companies that rely heavily on email often have many mailing lists.) The TelegraphThe initial report suggested the company’s internal systems, including email, were “completely compromised,” and a leak of 71,000 employee credentials would match that.
Here’s all Nvidia is saying today, via spokesperson Hector Marinez:
On February 23, 2022, NVIDIA became aware of a cybersecurity incident affecting IT resources. Shortly after discovering the incident, we further strengthened our network, engaged cybersecurity incident experts and notified law enforcement.
We have no evidence that ransomware is deployed on the NVIDIA environment or related to the Russia-Ukraine conflict. However, we are aware that the threat actor took employee credentials and certain NVIDIA proprietary information from our systems and started leaking it online. Our team is in the process of analyzing that information. We do not expect any disruption to our business or our ability to serve our customers as a result of the incident.
Security is an ongoing process that we take very seriously at NVIDIA – and we invest daily in the protection and quality of our code and products.
That’s what we’d heard before, and Nvidia’s cybersecurity incident response page hasn’t been updated since March 1.
The LAPSUS$ hacking group, which has been credited for the breach, had an unusually populist demand: It stated it wants Nvidia to open source its GPU drivers forever and its Ethereum cryptocurrency mining nerf of all Nvidia 30-plus. series of GPUs (such as like newer models of the RTX 3080) instead of asking for cash directly.
But they obviously want cash too. The hackers also publicly stated that they will be selling a crypto nerf bypass for $1 million, and this morning they briefly posted a message suggesting that today’s leak be postponed while discussing the terms with a potential buyer of Nvidia’s. source code.
If Nvidia pays, which isn’t unheard of in these ransom situations, I wouldn’t necessarily expect to hear about it anytime soon. It’s not necessarily in the best interests of either party to say that. But if Nvidia doesn’t pay or don’t comply and LAPSUS$ has the data it claims, things can get interesting.