Nvidia never denied that it got hacked. The GPU giant just didn’t say all that much about what happened, either.
But now — as we wait to see whether the hackers make good on their threat to dump hundreds of gigabytes of proprietary Nvidia data on the web, including details about future graphics chips, by an unspecified Friday deadline — the compromised email alert website Have I Been Pwned suggests that the scope of the hack includes a staggering 71,000 employee emails and hashes that may have allowed the hackers to crack their passwords (via TechCrunch).
It’s not clear how Have I Been Pwned obtained this info, and Nvidia won’t say. Nvidia would not confirm or deny to The Verge whether 71,000 employee credentials have been compromised, and it would not say whether it plans to comply with any of the hackers’ demands.
It is worth noting that Nvidia has far fewer than 71,000 employees — its last annual report lists 18,975 employees across 29 countries, though it’s possible the compromised email addresses include prior employees and aliases for groups of employees. (Companies that rely heavily on email often have a lot of mailing lists.) The Telegraph’s initial report suggested that the company’s internal systems, including email, had been “completely compromised,” and a leak of 71,000 employee credentials would line up with that.
Here is all that Nvidia is actually saying today, via spokesperson Hector Marinez:
On February 23, 2022, NVIDIA became aware of a cybersecurity incident which impacted IT resources. Shortly after discovering the incident, we further hardened our network, engaged cybersecurity incident response experts, and notified law enforcement.
We have no evidence of ransomware being deployed on the NVIDIA environment or that this is related to the Russia-Ukraine conflict. However, we are aware that the threat actor took employee credentials and some NVIDIA proprietary information from our systems and has begun leaking it online. Our team is working to analyze that information. We do not anticipate any disruption to our business or our ability to serve our customers as a result of the incident.
Security is a continuous process that we take very seriously at NVIDIA – and we invest in the protection and quality of our code and products daily.
That’s what we’d heard previously, and Nvidia’s cybersecurity incident response page hasn’t been updated since March 1st, either.
The LAPSUS$ hacking group, which has taken credit for the breach, had an unusually populist demand: it stated that it wants Nvidia to open source its GPU drivers forever and remove its Ethereum cryptocurrency mining nerf from all Nvidia 30-series GPUs (such as newer models of the RTX 3080) rather than directly asking for cash.
But they clearly want cash, too. The hackers have also publicly stated that they’ll sell a bypass for the crypto nerf for $1 million, and this morning, they briefly posted a message suggesting that today’s leak would be delayed while they discussed terms with a would-be buyer of Nvidia’s source code.
If Nvidia does pay up, something that’s not unheard of in these data ransom situations, I wouldn’t necessarily expect to hear about it anytime soon. It won’t necessarily be in either party’s best interests to say so. But if Nvidia doesn’t pay or comply and LAPSUS$ does have the data it claims, things might be about to get interesting.