Update May 9: NVIDIA has since confirmed that user data was exposed in a breach affecting GeForce NOW infrastructure operated by a third-party regional partner in Armenia. The company stated that NVIDIA-operated systems were not impacted.
According to NVIDIA, the incident was limited to infrastructure managed by GFN.am, a regional GeForce NOW Alliance partner responsible for service operations in Armenia. The partner also manages GeForce NOW infrastructure across several neighboring countries, though no broader regional impact has been confirmed.
GFN.am disclosed that the incident occurred between March 20 and March 26 and exposed user information including names, email addresses, phone numbers, dates of birth, and usernames. The operator stated that passwords were not compromised and that accounts created after March 9 were not affected.
NVIDIA’s confirmation follows earlier claims posted under the ShinyHunters name alleging the sale of millions of GeForce NOW user records. However, reports now indicate the actor behind the listing may have been impersonating the ShinyHunters group.
The original forum post advertising the alleged database has since been removed.
Victim status:
- Confirmed by company: Data breach affecting GFN.am regional GeForce NOW infrastructure in Armenia
- Partially confirmed: Exposure of user account data including names, email addresses, usernames, phone numbers, and dates of birth
- Unverified: Claims involving millions of records, direct compromise of NVIDIA infrastructure, TOTP metadata, internal account roles, and broader global GeForce NOW systems
The ShinyHunters threat group is claiming to have breached NVIDIA’s GeForce Now platform and is allegedly offering a full user database for sale, containing what they describe as millions of records tied to the cloud gaming service.
The listing surfaced on May 2, with the actor claiming the data was pulled directly from backend systems. The dataset is being marketed for $1000 in cryptocurrency and promoted for use in phishing, account takeover, and other forms of abuse. At time of publication, NVIDIA had not issued any public statement addressing the claim.
Claimed dataset includes identity and account metadata
According to the listing, the alleged database contains detailed user account information spanning both identity data and internal account attributes. The actor claims the dataset includes:
- Full names
- Email addresses
- Usernames and nicknames
- Date of birth data
- Account creation timestamps
- Membership status
- Email verification status
- TOTP and 2FA configuration indicators
- Internal roles and access flags
Samples shared by the actor show structured account records with fields consistent with authentication and profile management systems. While the format appears plausible, there is currently no independent verification confirming the dataset’s authenticity or scale.
Authentication metadata could enable targeted attacks
The inclusion of authentication-related fields such as TOTP status and account roles increases the potential value of the dataset beyond basic contact information. Even without passwords, verified email addresses paired with account metadata can be used to refine phishing campaigns or identify accounts that may lack multi-factor protection.
Internal role indicators may also provide insight into higher-privileged accounts, making them more attractive targets for follow-on attacks. This type of data is often leveraged in credential stuffing campaigns or social engineering operations designed to bypass account protections.
Pattern of ongoing claims across technology platforms
The alleged GeForce Now breach follows a series of recent claims tied to the group targeting technology and cloud-based platforms. These include incidents involving developer tools, SaaS providers, and large-scale user databases.
Recent reporting has also linked ShinyHunters to broader data exposure activity, including an alleged Vimeo data compromise and claims involving internal AI platform data, though verification levels vary across incidents.
The volume and frequency of these claims suggest a sustained campaign of data acquisition and monetization, though not all incidents have resulted in confirmed breaches.
Verification and impact remain unclear
There is currently no confirmation that NVIDIA systems have been compromised or that the dataset being sold is legitimate. The method of access, whether through direct compromise, third-party exposure, or aggregation from other sources, has not been disclosed.
Until independently verified, the claim should be treated with caution. However, the nature of the data described presents credible risk if authentic, particularly given the scale and type of information allegedly involved.
Users of GeForce Now should remain alert for phishing attempts and suspicious account activity, especially emails referencing account verification, login issues, or subscription changes.
