By now, even most casual tech industry observers are aware that Nvidia was hacked last week. Nvidia confirmed the attack, stating that it was "aware of a cybersecurity incident which impacted IT resources." The company went on to add that "we are aware that the threat actor took employee credentials and some NVIDIA proprietary information from our systems and has begun leaking it online."
South America-based hacking group Lapsus$ claimed responsibility for the cyberattack and now apparently has leaked the credentials of Nvidia employees online. As confirmed by the Have I Been Pwned monitoring website, credentials for 71,355 employees are accessible. According to the site, the available data includes "over 70k employee email addresses and NTLM password hashes, many of which were subsequently cracked and circulated within the hacking community."
The first thing that caught our attention is the sheer number of employee accounts allegedly affected. Given that this number seemed out of the ordinary based on publicly-accessible information, we reached out to Nvidia for clarification. The company confirmed that it has over 20,000 employees worldwide, but could not give us a more specific number. So those leaked credentials could include former employees, employees with multiple accounts to access internal (and external) services, etc. In addition, we verified that several of our Nvidia contacts were identified in the February 2022 breach according to Have I Been Pwned.
As if accessing employees' credentials wasn't bad enough, Lapsus$ also acquired two code signing certifications, although both are expired. Despite the expiration status, researcher Bill Demirkapi says, "Windows still allows them to be used for driver signing purposes."
As part of the #NvidiaLeaks, two code signing certificates have been compromised. Although they have expired, Windows still allows them to be used for driver signing purposes. See the talk I gave at BH/DC for more context on leaked certificates: https://t.co/UWu3AzHc66 pic.twitter.com/gCrol0BxHdMarch 3, 2022
Earlier this week, Lapsus$ reportedly leaked the source code for Deep Learning Super Sampling (DLSS), a competitor for AMD's open-source FidelityFX Super Resolution technology. The hacker group is also asking for $1 million for access to Nvidia's Light Hash Rate (LHR) cryptocurrency mining limiter found on more recent GeForce RTX 30 Series graphics cards. The LHR limiter reduced Ethereum mining performance by roughly 50 percent on these graphics cards, so removing the cap would make them more profitable for miners -- at least until "The Merge" takes place later this year.