14 DAY TRIAL // An unauthorized intrusion into the NVIDIA network exposed credentials of employees to an unknown entity, prompting the administrators to initiate the invalidation procedure for the affected passwords.
As soon as the breach was detected, security upgrades were deployed in order to prevent future intrusions.
At least 500 individuals have been impacted
It is unclear at this moment how the attacker(s) managed to gain access to the database containing employee usernames and passwords, or if the passwords were stored in a secure manner.
The unauthorized access was identified at the beginning of the month, but the intrusion appears to have occurred on October 8, 2014.
Information about the incident is scarce right now, but the fact that the California Office of the Attorney General was informed indicated that the number of affected individuals is higher than 500.
We contacted NVIDIA representatives but no answer was received by the time of publishing this article.
As per California Civil Code, businesses have to notify the Office of the Attorney General if unencrypted personal information has been exposed to an unauthorized actor during a security incident; this includes email addresses in combination with passwords that could facilitate unfettered access to an online account.
In the letter to the affected individuals, NVIDIA Chief Information Officer Bob Worrall also included some measures for keeping data safe on the network, advising users to review the bank and credit card statements on a regular basis and check credit reports for any unauthorized activity.
CIO offers sound advice on spotting phishing attempts
Furthermore, he informed that any suspicion of identity theft or fraud should be reported to local police, the state’s Attorney General’s office, or the Federal Trade Commission (FTC).
Phishing attacks are the number one cause for breaches since individuals can be easily manipulated into accessing a fraudulent page designed to harvest sensitive information.
As such, Worall issued a warning about this kind of threat, which could be disguised as an email from a friend or colleague asking for private data, such as passwords, social security numbers, or bank account numbers.
This sort of details are never requested over email by companies and the main reason for this is that they already have them in the system.
One final piece of advice from NVIDIA’s CIO refers to security measures that could be taken in order to mitigate the risk of having an online account hijacked.
These consist of changing the password on a regular basis and avoiding using the same information for multiple accounts. Attackers often try the same credentials on multiple services, so by adopting unique passwords, if one account is compromised, all the others remain out of the reach of the perpetrator.
The letter continues with information about what can be done in case of an identity theft incident.
[UPDATE: December 24]: A representative from NVIDIA replied to our email and provided more information about the incident.
It is believed that one of the NVIDIA employees was specifically targeted by a phishing attack, which ultimately resulted in accessing without authorization the credentials of 4,000 employees.
The passwords were not saved in plain text, but in a hashed state (we received no information on whether salt was applied or not).
“We have no evidence suggesting that these have or are being used by the attackers on either NVIDIA or outside systems. As a precaution, we conducted a password reset across our entire system. The passwords had been stored in a hashed state in our authentication repository,” the NVIDIA representative told us via email.
Basically, it was a one-time intrusion that allowed the attacker to access unauthorized content. The most important part is that NVIDIA took the necessary precautions and changed the passwords, even if only their hashes were accessed.
