Nvidia GeForce NOW data breach confirmed, but luckily most of us will be safe, here's why

Attackers compromised an OpenAI repository on HuggingFace and distributed a data stealer disguised as a “privacy filter” model.
The malware disabled SSL checks, escalated privileges, and implemented the sefira payload to steal credentials, crypto wallets and system data
The fake repository reached 244,000 downloads and briefly topped the HuggingFace rankings before its removal, and other linked malicious repositories were also removed.

Nvidia GeForce NOW, a cloud-based gaming service that streams high-performance PC games to other devices, recently suffered a cyberattack and lost sensitive customer data. However, the data appears to be limited to a single country: Armenia.

A threat actor posted a new thread on an underground hacking forum, offering “millions of user records” for sale.

The records, which allegedly include people’s names, email addresses, usernames, dates of birth, membership status and 2FA/TOTP status, were being sold for a sum of $100,000, paid in Bitcoin or Monero.

ShinyHunters or impostors?

Following the disclosure, Nvidia shared a statement with beepcomputersaying that the breach was the result of a compromise in the infrastructure of a regional partner called GFN.am. This company manages all GeForce NOW operations in Azerbaijan, Georgia, Kazakhstan, Moldova, Ukraine and Uzbekistan.

“Our investigation found no impact on services operated by NVIDIA,” Nvidia told the publication. “We are working closely with the partner to support their investigation and resolution. GFN.am will notify affected users.”

The threat actor was using the nickname ShinyHunters, but the group apparently confirmed that he is an impostor who has no connections to the real group.

At the same time, GFN.am confirmed that the breach took place between March 20 and 28, 2026, and that the bad actors stole names, emails, phone numbers, dates of birth, and usernames. Passwords were not affected, nor were people who registered after March 9. We don’t know how many people are affected.

Meanwhile, the forum post was deleted, which could mean a couple of things: either GFN negotiated with the attackers or someone else bought the database. It’s also possible, since ShinyHunters confirmed that this person was an imposter, that the forum administrators actually deleted the thread.