Nvidia never denied that it got hacked. The GPU giant just didnât say all that much about what happened, either.
But now â as we wait to see whether the hackers make good on their threat to dump hundreds of gigabytes of proprietary Nvidia data on the web, including details about future graphics chips, by an unspecified Friday deadline â the compromised email alert website Have I Been Pwned suggests that the scope of the hack includes a staggering 71,000 employee emails and hashes that may have allowed the hackers to crack their passwords (via TechCrunch).
Itâs not clear how Have I Been Pwned obtained this info, and Nvidia wonât say. Nvidia would not confirm or deny to The Verge whether 71,000 employee credentials have been compromised, and it would not say whether it plans to comply with any of the hackersâ demands.
It is worth noting that Nvidia has far fewer than 71,000 employees â its last annual report lists 18,975 employees across 29 countries, though itâs possible the compromised email addresses include prior employees and aliases for groups of employees. (Companies that rely heavily on email often have a lot of mailing lists.) The Telegraphâs initial report suggested that the companyâs internal systems, including email, had been âcompletely compromised,â and a leak of 71,000 employee credentials would line up with that.
Here is all that Nvidia is actually saying today, via spokesperson Hector Marinez:
On February 23, 2022, NVIDIA became aware of a cybersecurity incident which impacted IT resources. Shortly after discovering the incident, we further hardened our network, engaged cybersecurity incident response experts, and notified law enforcement.
We have no evidence of ransomware being deployed on the NVIDIA environment or that this is related to the Russia-Ukraine conflict. However, we are aware that the threat actor took employee credentials and some NVIDIA proprietary information from our systems and has begun leaking it online. Our team is working to analyze that information. We do not anticipate any disruption to our business or our ability to serve our customers as a result of the incident.
Security is a continuous process that we take very seriously at NVIDIA â and we invest in the protection and quality of our code and products daily.
Thatâs what weâd heard previously, and Nvidiaâs cybersecurity incident response page hasnât been updated since March 1st, either.
The LAPSUS$ hacking group, which has taken credit for the breach, had an unusually populist demand: it stated that it wants Nvidia to open source its GPU drivers forever and remove its Ethereum cryptocurrency mining nerf from all Nvidia 30-series GPUs (such as newer models of the RTX 3080) rather than directly asking for cash.
But they clearly want cash, too. The hackers have also publicly stated that theyâll sell a bypass for the crypto nerf for $1 million, and this morning, they briefly posted a message suggesting that todayâs leak would be delayed while they discussed terms with a would-be buyer of Nvidiaâs source code.
If Nvidia does pay up, something thatâs not unheard of in these data ransom situations, I wouldnât necessarily expect to hear about it anytime soon. It wonât necessarily be in either partyâs best interests to say so. But if Nvidia doesnât pay or comply and LAPSUS$ does have the data it claims, things might be about to get interesting.