Nvidia GeForce NOW data breach confirmed – but thankfully most of us want to be safe, here’s why

Attackers have hacked an OpenAI repo on HuggingFace and distributed an infostealer disguised as a “privacy filter” model
The malware disabled SSL checks, escalated privileges, and deployed sefirah payload to steal credentials, crypto wallets and system data
The fake repo hit 244,000 downloads and briefly topped the HuggingFace rankings before it was removed, with other associated malicious repos also removed

Nvidia GeForce NOW, a cloud-based gaming service that streams high-performance PC games to other devices, recently suffered a cyber attack and lost sensitive customer data. However, the data appears to be limited to just one country – Armenia.

A threat actor posted a new thread on an underground hacking forum offering “millions of user records” for sale.

The records, which allegedly include people’s names, email addresses, usernames, birth dates, membership status and 2FA/TOTP status, were sold for a sum of $100,000, paid in either Bitcoin or Monero.

ShinyHunters or Scammers?

Following the reveal, Nvidia shared a statement with Bleeping Computerand said the breach was the result of a compromise in the infrastructure of a regional partner called GFN.am. This company manages all GeForce NOW operations in Azerbaijan, Georgia, Kazakhstan, Moldova, Ukraine and Uzbekistan.

“Our investigation found no impact on NVIDIA-powered services,” Nvidia told the publication. “We are working closely with the partner to support their investigation and resolution. Affected users will be notified by GFN.am.”

The threat actor used the ShinyHunters nickname, but the group apparently confirmed that this is an impostor with no connection to the actual group.

At the same time, GFN.am confirmed that the breach took place between March 20 and March 28, 2026, and that the perpetrators stole names, e-mails, phone numbers, dates of birth and usernames. Passwords were not affected, and neither were people who signed up after March 9. We do not know how many people are affected.

In the meantime, the forum post was deleted, which could mean a couple of things: either GFN negotiated with the attackers, or someone else bought the database. It’s also possible that since ShinyHunters confirmed that this person was a fraud, the forum admins actually removed the thread.