Thousands of Nvidia employee passwords leak online as hackers’ ransom deadline looms

The hacking group that claims to have taken a terabyte of data from chipmaking giant Nvidia is threatening to release the company’s “most closely-guarded secrets” today unless it meets the gang’s increasingly bizarre demands.

The Lapsus$ hacking group, which first claimed responsibility for the data breach last week, has already started leaking data. According to data breach monitoring website Have I Been Pwned, the hackers stole the credentials of more than 71,000 Nvidia employees. Several Nvidia email addresses known to TechCrunch all appeared compromised, according to our checks. The data includes email addresses and Windows password hashes, according to HIBP, “many of which were subsequently cracked and circulated within the hacking community.”

While Nvidia previously confirmed that employee credentials were taken in the attack, the company declined to confirm whether it has notified those affected or forced password resets for compromised accounts. Despite the increasing fallout from the incident — and the hacking group’s looming deadline — Nvidia’s incident response page has not been updated since Tuesday.

The hackers are now threatening to release Nvidia’s trade secrets, including schematics, source code and information on recent Nvidia graphics chips, including the as-yet-unannounced RTX 3090 Ti, unless Nvidia meets the group’s unusual demands. The group called on Nvidia to remove its controversial Lite Hash Rate (LHR) feature, which limits the Ethereum mining capabilities of its RTX 30 series graphics cards. This feature was introduced in early-2021 in response to having its stock depleted by the crypto-mining community, making it impossible for gamers to get their hands on the new graphics cards.

“We want Nvidia to push an update for all 30 series firmware that remove every LHR limitations otherwise we will leak [the hardware] folder,” said the Lapsus$ group on Telegram. “If they remove the LHR we will forget about [the] folder… We both know LHR impact mining and gaming.”

Earlier this week, Lapsus$ added another unusual demand: it wants Nvidia to open source its graphics chip drivers for macOS, Windows and Linux devices. The group gave Nvidia until March 4 — that’s today — to comply.

TechCrunch asked Nvidia whether it plans to meet the hackers’ demands, but the company declined to comment. Instead, the company pointed us to the same statement it released earlier this week.