Nvidia hacked; user records compromised
Nvidia's 'forums' was attacked using an SQL injection breach; the hackers have managed to obtain usernames, email addresses, hashed passwords and profile information
Nvidia has announced that they have been hacked. Nvidia forums seem to be the only asset attacked so far. The scenario is similar to the SQL injection attack that affected Sony, Nokia and others in recent months.
SQL injection attacks work on the vulnerability that internet user databases are publically hosted. The hacker then sends the database malformed request strings that are programmed to execute disallowed commands. These attacks can be overcome by careful programming, but in order to implement such protections, a lot of time and money has to be spent to ensure a continuous inability to breach the database. Hence, many companies have vulnerable databases.
Nvidia is concerned that the hackers could target user email addresses for phishing purposes, and be able to trick them into providing their passwords. Another concern is that the hashed passwords could be cracked. Nvidia didn't mention what hashing algorithm it used to protect its users' passwords.
Nvidia put up this message on its forums page, (forums.nvidia.com):
We did this in response to suspicious activity and immediately began an investigation. We apologize that our continuing investigation is taking this long. Know that we are working around the clock to ensure that secure operations can be restored.
Our investigation has identified that unauthorized third parties gained access to some user information, including:
hashed passwords with random salt value
public-facing "About Me" profile information
NVIDIA did not store any passwords in clear text. "About Me" optional profiles could include a user's title, age, birthdate, gender, location, interests, email and website URL - all of which was already publicly accessible.
NVIDIA is continuing to investigate this matter and is working to restore the Forums as soon as possible. We are employing additional security measures to minimize the impact of future attacks.
All user passwords for our Forums will be reset when the system comes back online. At that time, an email with a temporary password, along with instructions on how to change it, will be sent to the user's registered email address.
As a precautionary measure, we strongly recommend that you change any identical passwords that you may be using elsewhere.
NVIDIA does not request sensitive information by email. Do not provide personal, financial or sensitive information (including new passwords) in response to any email purporting to be sent by an NVIDIA employee or representative.