NVIDIA GeForce NOW: ShinyHunters Claims Millions of User Records Stolen

ShinyHunters has surfaced again, this time claiming to have exfiltrated a database of millions of user records from NVIDIA's GeForce NOW cloud gaming platform. The listing was posted this week on a well-known cybercrime forum, with sample records included as proof. NVIDIA has not confirmed the incident, but the alleged dataset includes verified emails, dates of birth, and 2FA status flags that would meaningfully accelerate downstream attacks.

What Happened

A forum post attributed to ShinyHunters advertised a database the group claims was lifted from GeForce NOW, NVIDIA's cloud gaming service. The actor backed the claim by posting sample records and reiterated the announcement through Telegram channels associated with the group. NVIDIA has issued no public confirmation as of this writing, and the breach remains formally unverified.

The timing is consistent with ShinyHunters' 2026 activity pattern. The group has been tied to a string of incidents this year that leaned on social engineering and misconfigured cloud environments rather than novel exploits, and the sample data circulating so far carries the structural fingerprints of a production user table rather than scraped or recycled material.

What Was Taken

The forum listing describes a dataset specific enough to be operationally useful for follow-on attacks. According to ShinyHunters, the records include:

Full names and usernames tying real identities to gaming handles
Verified email addresses suitable for targeted phishing
Dates of birth, useful for identity verification and profiling
Membership details including subscription tier and account age
2FA and TOTP status flags indicating which accounts have multi-factor authentication enabled
Internal account metadata, including roles and attributes from NVIDIA's backend systems

The volume claimed is in the millions of records. If accurate, this represents one of the larger gaming-platform exposures of the year.

Why It Matters

Most consumer breaches hand attackers an email list. This one allegedly hands them a triage list. The 2FA status field is the differentiator: instead of spraying credential stuffing across an entire dataset, an operator can filter directly to accounts with MFA disabled and concentrate on the population most likely to fall to reused passwords.

Layering verified names, birth dates, and subscription tiers on top of that produces phishing lures that are difficult to distinguish from legitimate NVIDIA correspondence. The gaming community is already a high-volume target for voice phishing and SMS-based account takeover. A dataset with this fidelity lowers the cost of those campaigns and raises their conversion rate. Expect impersonation of NVIDIA Support, fraudulent subscription renewal notices, and account recovery scams referencing real membership details.

The Attack Technique

ShinyHunters has not publicly disclosed an intrusion vector for this incident, and NVIDIA has not commented. The group's recent operations have centered on social engineering of help desks and identity providers, abuse of OAuth tokens, and access to misconfigured cloud storage and SaaS tenants rather than direct exploitation of victim infrastructure. The presence of internal account metadata in the alleged dump is more consistent with access to a production data store or backup than with a scraped or API-level extraction, but this remains an inference until NVIDIA confirms scope.

ShinyHunters' Track Record

The group built its name on the Tokopedia and Wattpad breaches and has more recently appeared in claims tied to ADT and Microsoft-adjacent environments. Their monetization pattern is consistent: sell access on a forum to the highest bidder, or hold the data as leverage against the victim organization for an extortion payout.

What Organizations Should Do

Reset GeForce NOW account passwords and rotate any credentials reused across other services, prioritizing accounts flagged in the alleged dataset as lacking 2FA.
Enable TOTP-based or hardware-key multi-factor authentication on NVIDIA accounts and any linked identity providers used for single sign-on.
Brief users and help desk staff on a likely surge in NVIDIA-themed phishing, smishing, and vishing referencing real subscription details, names, and dates of birth.
Monitor for credential stuffing against corporate SSO portals from email addresses that overlap with the leaked dataset, and consider preemptive password resets for matched accounts.
For organizations with employees using GeForce NOW on corporate or BYOD devices, audit session tokens and force re-authentication on connected services.
Track ShinyHunters forum and Telegram activity for sample expansions or pricing changes that signal whether the data is being sold, leaked publicly, or used for direct extortion.

Sources: NVIDIA GeForce NOW Data Breach: ShinyHunters Claims Millions of Records Stolen | The CyberSec Guru