NVIDIA Confirms GeForce NOW Partner Breach Exposes Armenian Users’ PII

GeForce NOW streams games from NVIDIA’s servers, but regional partners like GFN.am handle local user accounts and billing. The partnership creates a trusted link that attackers can abuse to reach partner‑held data without touching NVIDIA’s core infrastructure.

- Unauthorized access to GFN.am’s systems occurred between March 20 and March 26, 2026. - Exposed information includes full names (for Google‑authenticated users), email addresses, usernames, dates of birth, and phone numbers (for mobile‑operator registrations). - No passwords, payment card data, or authentication tokens were leaked. - Users who registered after March 9, 2026 are not affected, as their data resides in a separate post‑breach database. - NVIDIA publicly disclosed the breach on May 8, 2026 after a hacker forum post claimed the data was stolen by “ShinyHunters.” Investigators determined the poster is likely an impersonator with no ties to the real ShinyHunters group. - GFN.am is directly notifying all affected Armenian users.

The breach illustrates how a trusted‑relationship exploit (MITRE ATT&CK T1199) can lead to data collection (T1213) and exfiltration over web services (T1567). Although no credentials were taken, the exposed PII enables targeted phishing, SIM‑swap attempts, and social‑engineering scams. The incident is confined to Armenia; there is no evidence of spillover to other GFN.am‑operated markets such as Azerbaijan, Georgia, or Ukraine.

Organizations should review third‑party access controls and enforce the principle of least privilege for partner accounts. Implement continuous monitoring for anomalous data transfers, especially over HTTP/S channels, and consider deploying data‑loss‑prevention rules that flag large exports of user tables. Enable multi‑factor authentication on all administrative interfaces and regularly rotate service‑account credentials. For end users, advise vigilance against unexpected emails or SMS messages requesting personal information and encourage the use of authentication apps rather than SMS‑based verification where possible.