Attacks/Breaches
7/16/2012
11:41 AM
50%
50%

Nvidia Investigates Password Breach

Hacker posts "Apollo Project" leak involving 800 forum and developer passwords.

Graphics and mobile processor manufacturer Nvidia has confirmed that about 800 users of is online forums had their personal information, including usernames and passwords, posted online.

Thursday, Nvidia said that earlier this month it suspended Nvidia Forums "in response to suspicious activity and immediately began an investigation," and apologized for the investigation continuing. "Know that we are working around the clock to ensure that secure operations can be restored."

Nvidia Friday then confirmed that "a small proportion of users' hashed passwords for DevZone has been posted publicly," via a statement posted to its Developer Zone site. "We continue to strongly recommend that you change any identical passwords that you may be using elsewhere." For now, however, Nvidia said that its Developer Zone would likewise remain offline until the company concluded its investigation.

"All user passwords for our forums will be reset when the system comes back online. At that time, an email with a temporary password, along with instructions on how to change it, will be sent to the user's registered email address," it said.

[ Even Apple's security checks aren't safe from hackers. See Apple In-App Store Hacked. ]

According to Nvidia, "unauthorized third parties" had gained access to some of its forum members' usernames, email addresses, public-facing "about me" information, as well as "hashed passwords with random salt value." But the company said that it "did not store any passwords in clear text." Furthermore, while users' "about me" profiles could contain "a user's title, age, birthdate, gender, location, interests, email, and website URL," all of those profiles were already publicly viewable.

In response to Nvidia's Thursday advisory, a hacker Friday posted to Pastebin a list of what he called "Nvidia Admin Hashes," as part of what he dubbed "The Apollo Project." The 800 leaked accounts included numerous nvidia.com email addresses, plus Hotmail and Gmail Webmail accounts, as well as corporate accounts at ARM, Bloomberg, Fibertek, Givex, Honda, Patriot Memory, and many other companies. According to the Pastebin post, the list was only a "partial dump" of purloined data. In addition, the post also warned that Nvidia's online store had been hacked. That led Nvidia, on Friday, to also suspend operations for the Nvidia Gear Store.

"But let's put this in perspective, this is only a forum hack," according to a note included in the Pastebin post. "I am actually suprised [sic] nVidia decided to even disclose that they'd been hacked quite a few weeks ago ... It did take them a while though. We aren't acting extremely maliciously, we've used this database to target disgusting corporations who deserve to be brought to justice ... and we are getting there, slowly but surely."

As noted, Nvidia urged all users to reset any of their forum passwords that they've reused elsewhere. "Password re-use is a big problem--with an alarming number of people using the same password on multiple sites," said Graham Cluley, senior technology consultant at Sophos, in a blog post. "The consequences of that lax attitude to security is that if you get hacked in one place, your other online accounts could also be accessed. For instance, if you used the same password on Nvidia as you did on your Web email account, it would be child's play for hackers to gain access to your personal communications and steal other information about you."

Nvidia's password breach disclosure follows on the heels of a hacking group calling itself "WikiBoat" announcing via CodePaste.net Wednesday that it had obtained 35,000 usernames for customers of surf-clothing maker Billabong. But the attackers said they were only releasing a subset of the data they'd obtained, which appears to run from email addresses that start with the letter "A" through to email addresses that start with the letter "M."

Meanwhile, a hacking group calling itself D33Ds Company last week released 450,000 usernames and passwords associated with Yahoo Voices--formerly known as Yahoo Contributor Network--as well as 420,000 passwords from question-and-answer website Formspring.

Those incidents followed recent password breaches involving LinkedIn, as well as eHarmony and Last.fm. With the exception of Yahoo, which appeared to be storing user passwords in plaintext, all of those breaches came to light after stolen password hashes were posted to online cracking forums.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6501
Published: 2015-03-30
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_s...

CVE-2014-9652
Published: 2015-03-30
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote atta...

CVE-2014-9653
Published: 2015-03-30
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory ...

CVE-2014-9705
Published: 2015-03-30
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.

CVE-2014-9709
Published: 2015-03-30
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.