Nvidia GeForce NOW data breach confirmed — but luckily most of us will be safe, here's why

News
By published

The breach is limited to GeForce NOW in just one country

a silver card on a motherboard
(Image credit: Shutterstock)
  • Attackers typosquatted an OpenAI repo on HuggingFace, distributing an infostealer disguised as a “privacy filter” model
  • The malware disabled SSL checks, escalated privileges, and deployed the sefirah payload to steal credentials, crypto wallets, and system data
  • The fake repo hit 244K downloads and briefly topped HuggingFace rankings before removal, with other linked malicious repos also taken down

Nvidia GeForce NOW, a cloud-based gaming service which streams high-performance PC games to other devices, suffered a cyberattack recently, and lost sensitive customer data. However, the data seems to be limited to one country only - Armenia.

A threat actor posted a new thread on an underground hacking forum, offering “millions of user records” for sale.

The records, which allegedly include people’s names, email addresses, usernames, dates of birth, membership status, and 2FA/TOTP status, were being sold for a sum of $100,000, paid either in Bitcoin, or Monero.

Latest Videos From

ShinyHunters, or imposters?

Following the disclosure, Nvidia shared a statement with BleepingComputer, saying the breach was a result of a compromise in the infrastructure of a regional partner called GFN.am. This company manages all GeForce NOW operations in Azerbaijan, Georgia, Kazakhstan, Moldova, Ukraine, and Uzbekistan.

“Our investigation found no impact on NVIDIA-operated services,” Nvidia told the publication. “We are working closely with the partner to support their investigation and resolution. Impacted users will be notified by GFN.am."

The threat actor was using the ShinyHunters nickname, but the group apparently confirmed that this is an imposter that has no connections to the actual group.

At the same time, GFN.am confirmed that the breach took place between March 20 and March 28 2026, and that the miscreants stole names, emails, phone numbers, dates of birth, and usernames. Passwords were not affected, and neither were people who registered after March 9. We don’t know how many people are affected.

In the meantime, the forum post was deleted, which could mean a couple of things: either GFN negotiated with the attackers, or someone else purchased the database. It is also possible, since ShinyHunters confirmed this person to be an imposter, that the forum’s administrators actually removed the thread.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.