NVIDIA Confirms GeForce NOW Breach Limited to Armenian Partner, Exposes User Data

TL;DR: NVIDIA confirmed that a data breach affecting GeForce NOW users was confined to its Armenian partner, GFN.am, exposing personal details such as names, emails, phone numbers and birth dates. The threat actor claimed to have stolen the data and offered it for $100,000 in cryptocurrency.

Context NVIDIA’s cloud gaming service GeForce NOW lets users stream games from remote GPUs. In Armenia the service is operated by partner GFN.am, which manages local authentication, billing and customer databases. The company said its own networks were not impacted.

Key Facts Between March 20 and March 26, GFN.am detected unauthorized access to its systems. The breach exposed full names (for Google‑account users), email addresses, phone numbers (for mobile‑operator registrations), dates of birth and usernames. No passwords were compromised, and accounts created after March 9 were unaffected. A threat actor using the ShinyHunters moniker posted samples of the data on a hacker forum, claiming to have also taken membership status and 2FA/TOTP information, and offered the full database for $100,000 in Bitcoin or Monero. NVIDIA stated the incident was limited to the partner’s infrastructure and that affected users will be notified by GFN.am.

What It Means The leaked personal data could be used for phishing, identity theft or credential‑stuffing attacks, especially if combined with the claimed 2FA/TOTP status. Security teams should monitor for suspicious login attempts, enforce multi‑factor authentication on all linked accounts, and educate users about unexpected communications requesting personal information. For partners like GFN.am, recommended mitigations include: applying the latest security patches to web applications and databases (referencing CVE‑2022‑22965 as an example of a spring‑framework flaw often exploited), implementing network segmentation to isolate customer data, deploying web‑application firewalls with rules for MITRE ATT&CK technique T1190 (Exploit Public‑Facing Application), and enabling detailed logging with alerts for T1078 (Valid Accounts) and T1041 (Exfiltration Over Command‑and‑Control Channel).

Watch for any further sale or misuse of the exposed data, additional notifications from GFN.am, and updates from NVIDIA on whether the partner’s remediation efforts close the gap.