Nvidia has confirmed that hundreds of thousands of accounts on its official forum have been leaked to ne'er-do-wells as the result of an intrusion on its website last week.
Late last week, Nvidia suspended all access to its official forums - forums.nvidia.com - as it investigated an attack. That attack, the company has now concluded, resulted in persons unknown making off with the user name, email address, profile information and hashed passwords for around 400,000 accounts.
Nvidia has stated that it has reset all passwords to a temporary value, which will be provided via email to each account holder. While this fixes the problem of the leaked passwords, it's still an issue for those who used the same password on other sites. 'As a precautionary measure,
' Nvidia recommends, 'we strongly recommend that you change any identical passwords that you may be using elsewhere.
While similar to the attack on Yahoo last week, which saw a similar number of account credentials leaked
, Nvidia's approach to information security has greatly lessened the potential impact of the breach. Where Yahoo stored password values in plain text, Nvidia stored only the one-way hashes of the passwords - and further used a random salt value each time to dramatically increase the complexity of a brute-force attack on the hashes.
Although that doesn't necessarily put users in the clear - simple passwords of fewer than eight characters or comprising dictionary words will likely still fall victim to a targeted attack on the hashes - it's a ray of sunshine in a period of time where credential-leaking breaches are coming thick and fast.
While the company further investigates the breach, it is keeping five of its user-facing sites - Nvidia Forum, Developer Zone, Nvidia Research Site, Nvidia Board Store and Nvidia Gear Store - offline until it is sure that the flaw has been resolved and the systems made secure once more.