Nvidia admits forums hacked, user data swiped
GPU = Great Personal Upset?
Updated Nvidia has admitted that it suspended its user forums last week because they were hacked and posters' personal data lifted.
The graphics chip maker said last night that its investigation following the discovery that "unauthorised third-parties gained access to some user information", specifically user login names, email addresses and profiles, though the latter just comprised information forum users could view anyway.
Nvidia was quick to state that while it had not stored users' password in the clear, the hackers did get hold of hashed passwords with a random salt value.
When the forums come back up - Nvidia couldn't say when this will take place beyond a general "as soon as possible" - all user passwords will be automatically reset. It will email users to prompt them to change their new, freshly assigned password.
Nvidia also warned forum folk who use their password for other sites to go and change those magic words, just in case.
If you receive any email seemingly from Nvidia requesting "personal, financial or sensitive information", ignore it, the company said, it's not from us. ®
Update
Nvidia has also confirmed that the buggers got into its Developer Zone site, which has now been closed down too, pending the outcome of its ongoing investigation into the hack.
COMMENTS
hashed and salted
im curious to see if these hashed and salted pwd's will find their way on the web.
it should give good protection and give the hackers a run for their money to figure them out ;
it *is* bad that it took nvidia a week to notify ppl about it though..
Re: Cracked, not Hacked
Yes, yes. It's a bit sad that someone needs to point out that language evolves and now 'hacked' means 'cracked' as well.
C.
Cracked, not Hacked
When will we stop misusing the term "hack" to describe computer security breakers? The correct term for a security breaker is "cracker".
The term "hacker" was coined in the 1950s at MIT's Tech Model Railroad Club, before there was any computer security to be broken. A hacker is simply anybody who uses ingenuity to solve problems in a playful manner.
Using the term "hacker" to refer to crackers is the same as using the term "Asian" to refer to NASCAR drivers. It makes no sense.
Just because you've seen one or two Asians driving NASCAR does not mean all NASCAR drivers are Asian.
Re: Have had the e-mail this morning
> If the random text is truly random on a per account basis,
It is. It needs to be unique per account. The gain in security comes because it is impractical to pre-compute and store rainbow tables for all possible values of the salt. If you used a single salt for all of your records it would be practical for an attacker who discovered it to compute rainbow tables to discover your passwords.
> there must be a record of it somewhere
Yes, you can either store it separately, e.g. in its own field in the user's record in a database, or concatenate it to the hashed password (used for Unix /etc/passwd at some point).
> they simply need to subtract the details of column 'X' (or whatever it's called) from the password to get back to the user's password.
It doesn't work like that. You calculate/store/compare hash(salt + password). For a decent hash function subtracting the salt from the hash doesn't give you the password.
