ShinyHunters Claims Breach of NVIDIA GeForce NOW User Data
During the week of May 2, 2026, the cybercrime group ShinyHunters advertised a purported database of NVIDIA GeForce NOW user records on an undisclosed cybercrime forum. The listing, which included sample records as evidence, claimed the dataset contained highly detailed user information, including full names, usernames, verified email addresses, dates of birth, membership status, subscription tiers, and two-factor authentication (2FA) enrollment flags.
ShinyHunters described the 2FA field as metadata indicating which accounts had multi-factor authentication enabled. The group has not disclosed the total number of records, the asking price, or the specific forum hosting the listing. This follows the group’s established pattern of posting stolen data for sale with sample proofs.
NVIDIA has not confirmed the breach. As of May 2, 2026, the company’s GeForce NOW status page listed only regional service delays in India and a maintenance notice for Call of Duty HQ, with no mention of a security incident. NVIDIA’s security advisories, including its GitHub-based PSIRT bulletins, also contained no references to a GeForce NOW data breach or ShinyHunters-related activity.
ShinyHunters, active since 2019, has claimed responsibility for breaching approximately 100 high-profile companies and 300–400 organizations since September 2025, primarily by exploiting misconfigured Salesforce Experience Cloud guest user access controls. The group employs voice phishing and credential-harvesting tactics, often impersonating IT support to obtain single sign-on (SSO) credentials. In June 2025, law enforcement disrupted part of its operations with arrests in France and a guilty plea by a U.S.-based member.
While the authenticity of the claimed breach remains unverified, the incident underscores ongoing risks associated with credential-based attacks and the potential exposure of sensitive user data.
Source: https://sqmagazine.co.uk/alleged-nvidia-geforce-now-shinyhunters-breach/
NVIDIA TPRM report: https://www.rankiteo.com/company/nvidia
"id": "nvi1777818242",
"linkid": "nvidia",
"type": "Breach",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology (Semiconductors, Cloud Gaming)',
'location': 'Global (Headquartered in Santa Clara, '
'California, USA)',
'name': 'NVIDIA',
'size': 'Large (Fortune 500)',
'type': 'Corporation'}],
'attack_vector': 'Exploitation of misconfigured Salesforce Experience Cloud '
'guest user access controls',
'data_breach': {'data_exfiltration': 'Claimed (unverified)',
'personally_identifiable_information': 'Full names, '
'usernames, verified '
'email addresses, '
'dates of birth, '
'membership status, '
'subscription tiers, '
'2FA enrollment flags',
'sensitivity_of_data': 'High (PII, 2FA enrollment flags)',
'type_of_data_compromised': 'Personally Identifiable '
'Information (PII), Account '
'Metadata'},
'date_detected': '2026-05-02',
'date_publicly_disclosed': '2026-05-02',
'description': 'During the week of May 2, 2026, the cybercrime group '
'ShinyHunters advertised a purported database of NVIDIA '
'GeForce NOW user records on an undisclosed cybercrime forum. '
'The listing included sample records as evidence, claiming the '
'dataset contained highly detailed user information, including '
'full names, usernames, verified email addresses, dates of '
'birth, membership status, subscription tiers, and two-factor '
'authentication (2FA) enrollment flags. NVIDIA has not '
'confirmed the breach, and no security advisories have been '
'issued.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'unverified breach claims',
'data_compromised': 'Full names, usernames, verified email '
'addresses, dates of birth, membership status, '
'subscription tiers, 2FA enrollment flags',
'identity_theft_risk': 'High (PII exposure)',
'systems_affected': 'NVIDIA GeForce NOW user database'},
'initial_access_broker': {'data_sold_on_dark_web': 'Claimed (unverified)',
'entry_point': 'Misconfigured Salesforce Experience '
'Cloud guest user access controls'},
'investigation_status': 'Unverified (NVIDIA has not confirmed the breach)',
'lessons_learned': 'Ongoing risks associated with credential-based attacks '
'and potential exposure of sensitive user data due to '
'misconfigurations.',
'motivation': 'Financial gain (data sale)',
'post_incident_analysis': {'root_causes': 'Potential misconfiguration in '
'Salesforce Experience Cloud guest '
'user access controls'},
'recommendations': ['Verify and secure Salesforce Experience Cloud guest user '
'access controls',
'Enhance monitoring for unauthorized access to user '
'databases',
'Implement multi-factor authentication (MFA) for all user '
'accounts',
'Conduct regular security audits and penetration testing',
'Develop a proactive communication strategy for potential '
'breaches'],
'references': [{'date_accessed': '2026-05-02',
'source': 'Cybercrime forum (undisclosed)'}],
'response': {'communication_strategy': 'No official confirmation or '
'advisories issued'},
'threat_actor': 'ShinyHunters',
'title': 'ShinyHunters Claims Breach of NVIDIA GeForce NOW User Data',
'type': 'Data Breach',
'vulnerability_exploited': 'Misconfigured Salesforce Experience Cloud guest '
'user access controls'}