What happened
NVIDIA has confirmed a data breach affecting users of its GeForce NOW cloud gaming service in Armenia, following claims by a threat actor using the ShinyHunters name on a cybercrime forum that millions of user records had been stolen. NVIDIA clarified that its own infrastructure was not compromised and that the breach is limited to systems operated by GFN.am, its regional Alliance partner in Armenia.
GFN.am disclosed the breach occurred between March 20 and 26, 2026, with users who registered after March 9, 2026 confirmed as unaffected. The threat actor claimed to have stolen full names, email addresses, usernames, dates of birth, membership status, and 2FA and TOTP status, and listed the alleged database for sale at $100,000 in Bitcoin or Monero. The forum post has since been removed, and it is unclear whether the database was sold or deleted. NVIDIA and BleepingComputer noted that the threat actor claiming to be ShinyHunters is believed to be an impersonator, as the actual ShinyHunters group does not operate via forums or Telegram and has not posted related information on its leak site.
GFN.am operates as an independent Alliance partner with its own authentication systems, local customer databases, and regional billing infrastructure. According to NVIDIA’s help page, GFN.am also manages GeForce NOW operations in Azerbaijan, Georgia, Kazakhstan, Moldova, Ukraine, and Uzbekistan, though no impact on those countries has been confirmed. Affected users in Armenia will be notified directly by GFN.am.
Who is affected
GeForce NOW users registered with GFN.am in Armenia before March 9, 2026 are directly affected. The scope across the six other countries managed by GFN.am remains unconfirmed. NVIDIA’s global GeForce NOW user base is not affected based on current findings.
Why CISOs should care
The 2FA status field in the claimed dataset is the detail with the most operational relevance. If accurate, it allows attackers to filter the stolen records to identify accounts without two-factor authentication enabled, increasing the efficiency of credential stuffing and account takeover attempts against that population. The inclusion of membership status also provides targeting context for social engineering.
The broader lesson is the Alliance partner model itself. Regional partners operating with their own authentication systems and local databases create an independent attack surface that falls outside the primary vendor’s security controls and monitoring. A breach of a regional partner can expose user data associated with a globally recognized brand without touching the brand’s own infrastructure.
3 practical actions
- If your organization has employees or users with GFN.am accounts, advise them to treat any incoming GFN.am communication with caution: Legitimate notifications will come through GFN.am directly. Phishing attempts exploiting the breach are likely given that email addresses and names are in the claimed dataset. Users should verify by navigating directly to official channels rather than clicking links in any breach notification email.
- Review Alliance partner and regional operator security requirements in your own vendor contracts: The GFN.am incident illustrates that regional partners operating under a parent brand can expose user data without the parent’s infrastructure being touched. Assess whether your organization’s partnership and reseller agreements include adequate security requirements, audit rights, and breach notification obligations for partners holding customer data.
- Treat 2FA status exposure as a credential stuffing risk indicator: The claimed dataset includes whether accounts have 2FA enabled, enabling attackers to prioritize targets without that protection. For any service where 2FA adoption is incomplete across your user base, treat this type of breach as an elevated credential stuffing risk and consider enforcing mandatory 2FA enrollment rather than leaving it optional.​​​​​​​​​​​​​​​​
Also in the news today:
- Fake Claude AI Website Delivers New Beagle Windows Backdoor via Malvertising
- Zara Data Breach Exposed Personal Information of 197,000 People
- Ivanti Warns of New EPMM Flaw Exploited in Zero-Day Attacks
- Australia Warns of ClickFix Attacks Pushing Vidar Stealer Malware
- Polish Intelligence Warns Hackers Attacked Water Treatment Control Systems
- New TCLBanker Malware Self-Spreads Over WhatsApp and Outlook
