A threat actor impersonating the ShinyHunters extortion group claims to be selling “millions of real user records” allegedly stolen from Nvidia’s GeForce Now service. Nvidia explains the breach only affects its partner in Armenia.
The threat actor, using the ShinyHunters handle, claims to have breached GeForce Now, Nvidia’s cloud gaming service. The listing was posted on the latest iteration of BreachForums, a once-infamous cybercrime marketplace repeatedly crippled by internal compromise, law enforcement takedowns, and administrative instability.
“I pulled their entire user database straight from the backend. Millions of real user records,” the threat actor claims.
“I’m selling the full database for only $100K USD (BTC or XMR only). One-time payment, instant delivery.”
However, this threat actor isn’t the original infamous extortion gang ShinyHunters, which previously stated it doesn't operate via forums or Telegram. ShinyHunters has not posted any related information on its leak site, which is a central repository for the gang’s major breach disclosures and extortion demands.
While this raises serious doubts about the claim’s credibility, it cannot be completely disregarded.
Update: Nvidia says the issue is limited to a partner based in Armenia
According to an Nvidia spokesman, a cybersecurity issue has affected a third-party – a GeForce NOW Alliance partner in Armenia.
“Our investigation found no impact on Nvidia-operated services. The issue is limited to systems run by a third-party GeForce NOW Alliance partner based in Armenia. We are working closely with the partner to support their investigation and resolution,” the spokesman told Cybernews.
Nvidia leverages alliance partners to expand its service reach to users around the globe.
According to the support page, GeForce Now in Armenia is operated by GFN.AM, which also covers Azerbaijan, Georgia, Kazakhstan, Moldova, Ukraine, and Uzbekistan. The GFN.AM service is offered by the GFN CLOUD INTERNET SERVICES, a limited liability company in the Republic of Armenia, which has exclusive ownership rights to the service.
“We are aware of the security breach at GFN.AM and took the necessary steps to contain it. We make every effort to protect data and take all claims seriously. Impacted users will be notified directly within the next 24 hours,” the company posted in the security advisory.
What do the hackers claim?
The hackers claim to belong to UNC6040 and UNC6240 threat clusters, as tracked by Google Threat Intelligence (GTIG), which were responsible for major Salesforce voice phishing attacks last year. These clusters consistently claimed affiliation with the well-known hacking group ShinyHunters, likely to increase pressure on their victims.
ShinyHunters has previously also posted extortion demands based on data stolen by UNC6040. The exact relationship between the threat groups remains unclear, but GTIG tracks them as related clusters.
The listing includes only a few data samples that appear consistent with Keycloak, an identity/access management platform. They're not sufficient to independently verify the claims.
The hackers warn GeForce Now users that their personal data is now for sale and list it as including:
- First and last names
- Verified email addresses
- Platform usernames
- Dates of birth
- Membership and authentication status
- Internal roles
- Access flags
- Account creation timestamps
As well as other attributes.
“These records presumably refer to GeForce NOW users specifically. If true, this information could be cross-referenced to other gaming platforms, such as Steam, as well as lead to scams that would specifically try to exfiltrate Steam account info to access game libraries, Steam credits, and other valuable data,” Rasa Jurgutyte, our Cybernews security researcher, noted.
The sample of five entries suggests that some fields are optional: some records lack a date of birth, but they all contain allegedly leaked emails, full names, and usernames.
“This is perfect for doxxing, account takeovers, phishing, and more,” the threat actor claims.
This “pitch” isn’t consistent with ShinyHunters’ operational behavior to demand ransom from targeted organizations and leak the data if negotiations are not successful. ShinyHunters previously targeted BreachForums and warned about impersonators.
The broader instability of the cybercrime ecosystem adds to the difficulty of verifying any threat actors’ claims: BreachForums was compromised and collapsed, and opportunistic actors are rushing to fill the void.
Cybernews previously reported that cybercriminals leaked a database containing detailed information on 323,986 BreachForums users.
Another competing forum is attempting to incorporate all the displaced users into a new platform and hire them as VECT ransomware affiliates. However, security researchers recently found that the malware isn’t capable of recovering encrypted data.
Updated on May 5th [07:30 a.m. GMT] with a statement from Nvidia, additional information.
Unlock exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked