Executive Summary
On May 8, 2026, NVIDIA confirmed a data breach affecting Armenian users of its GeForce NOW cloud gaming service, specifically through its regional partner GFN.am. The breach, which occurred between March 20 and March 26, 2026, resulted in the exposure of personally identifiable information (PII) including full names (for users authenticating via Google), email addresses, usernames, dates of birth, and phone numbers (for users registering via mobile operator). No account passwords or payment data were exposed. The incident is limited to the infrastructure operated by GFN.am in Armenia, with no evidence of impact to NVIDIA’s global infrastructure or users outside Armenia. Impacted users are being notified directly by GFN.am. The breach increases the risk of targeted phishing and identity-based scams for affected users. All findings are corroborated by multiple independent sources, including direct statements from NVIDIA and GFN.am (BleepingComputer, Cloaked.com, MSN).
Technical Information
The breach originated from a compromise of GFN.am’s infrastructure, which operates the GeForce NOW service in Armenia as a third-party alliance partner of NVIDIA. According to official statements, the breach did not affect NVIDIA’s own network or infrastructure. The attack window was between March 20 and March 26, 2026. The exposed data includes full names (for users authenticating via Google), email addresses, usernames, dates of birth, and phone numbers (for users registering via mobile operator). No passwords or payment data were compromised, and users who registered after March 9, 2026, are not affected (BleepingComputer, Cloaked.com, MSN).
The breach was publicly disclosed after a threat actor using the nickname “ShinyHunters” claimed responsibility on a hacker forum, offering the stolen database for sale. However, all primary sources indicate that this actor is likely an impersonator, and there is no technical evidence linking the real ShinyHunters group to the incident. The forum post has since been removed, and it is unclear whether the database was sold or deleted (BleepingComputer).
Technical analysis confirms that the breach was limited to GFN.am’s systems. GFN.am operates independent authentication and customer databases, separate from NVIDIA’s global infrastructure. The attack did not involve malware, ransomware, or known hacking tools, and no technical indicators such as malware hashes or exploited vulnerabilities (CVEs) have been reported. The breach aligns with the MITRE ATT&CK technique “Trusted Relationship” (T1199), where attackers exploit the trust between organizations and their partners to gain access to sensitive data (MITRE ATT&CK T1199). The attacker collected data from information repositories (T1213) and likely exfiltrated it over web services (T1567), as evidenced by the database being offered for sale online (MITRE ATT&CK T1213, MITRE ATT&CK T1567).
There is no evidence of impact to NVIDIA’s operations in other countries managed by GFN.am, such as Azerbaijan, Georgia, Kazakhstan, Moldova, Ukraine, or Uzbekistan. The breach is confined to Armenian users, and no spillover to other sectors or geographies has been observed.
Affected Versions & Timeline
The breach specifically affected users of GeForce NOW in Armenia who registered before March 9, 2026. The compromise occurred between March 20 and March 26, 2026. Users who registered after March 9, 2026, are not impacted, as confirmed by GFN.am and corroborated by all primary sources (BleepingComputer, Cloaked.com, MSN).
The incident timeline is as follows: March 9, 2026: Users registering after this date are not affected. March 20–26, 2026: Unauthorized access to GFN.am infrastructure and data exfiltration. May 8, 2026: Public disclosure and confirmation by NVIDIA, GFN.am, and multiple news outlets.
Threat Activity
The threat activity centers on the compromise of GFN.am’s infrastructure, resulting in unauthorized access to user PII. The attacker, posing as “ShinyHunters” on a hacker forum, claimed to have stolen millions of user records and offered the database for sale. However, the real identity and affiliation of the threat actor remain unconfirmed, and the claim is widely believed to be opportunistic rather than linked to the actual ShinyHunters group (BleepingComputer, Cloaked.com).
The exposed data includes full names, email addresses, usernames, dates of birth, and phone numbers, but no passwords or payment data. The nature of the exposed information increases the risk of targeted phishing, SIM-swap attacks, and identity-based scams. There is no evidence of credential stuffing or direct financial fraud risk, as no authentication credentials were leaked.
No malware, ransomware, or advanced persistent threat (APT) activity has been reported in connection with this incident. The breach method is consistent with exploitation of a trusted relationship (MITRE ATT&CK T1199) and unauthorized data collection (T1213), with possible exfiltration over web services (T1567).
Mitigation & Workarounds
The following mitigation and workaround recommendations are prioritized by severity:
Critical: All affected users should remain vigilant for phishing emails, SMS messages, and unsolicited contact attempts that reference their GeForce NOW account or personal information. Users should not respond to suspicious communications and should report them to GFN.am or relevant authorities.
High: Users should enable two-factor authentication (2FA) on all accounts where possible, especially those using the same email address as their GeForce NOW registration. Although no passwords were exposed, attackers may attempt to leverage exposed PII for social engineering.
Medium: Users should monitor their accounts for unusual activity and consider changing security questions or recovery options if they overlap with the exposed data (such as date of birth or phone number).
Low: Users who registered after March 9, 2026, are not affected and do not need to take immediate action, but should remain aware of general cybersecurity best practices.
GFN.am has stated that impacted users will be notified directly. No action is required for users outside Armenia or those who registered after March 9, 2026. Organizations should review their own third-party risk management practices, especially when relying on regional partners for user authentication and data storage.
References
https://www.bleepingcomputer.com/news/security/nvidia-confirms-geforce-now-data-breach-affecting-armenian-users/ https://www.cloaked.com/post/could-your-geforce-now-account-be-in-the-armenia-breach--what-was-exposed-and-what-should-you-do-now?vid=019e0ae4-62ca-7e44-ae71-27bd85656fa3 https://www.msn.com/en-us/news/insight/nvidia-says-geforce-now-breach-limited-to-armenian-partner/gm-GM4C0946A3?gemSnapshotKey=GM4C0946A3-snapshot-5&uxmode=ruby MITRE ATT&CK T1199: https://attack.mitre.org/techniques/T1199/ MITRE ATT&CK T1213: https://attack.mitre.org/techniques/T1213/ MITRE ATT&CK T1567: https://attack.mitre.org/techniques/T1567/
About Rescana
Rescana provides a Third-Party Risk Management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with external partners and service providers. Our platform enables continuous visibility into third-party security posture, supports incident response workflows, and assists in mapping exposures to industry frameworks such as MITRE ATT&CK. For questions about this incident or to discuss third-party risk management strategies, contact us at ops@rescana.com.
