--- title: "ShinyHunters Claim NVIDIA GeForce NOW User Database Theft" date: 2026-05-02 author: "Sofia Ramirez" featured_image: "https://sqmagazine.co.uk/wp-content/uploads/2026/05/shinyhunters-claim-nvidia-geforce-now-data-breach.jpg" categories: - name: "Cybersecurity" url: "/cybersecurity.md" tags: - name: "News" url: "/tag/news.md" --- # ShinyHunters Claim NVIDIA GeForce NOW User Database Theft The cybercrime collective ShinyHunters posted a forum listing during the week of May 2, 2026, claiming to have stolen a database of NVIDIA GeForce NOW user records, and NVIDIA has not confirmed the breach. Record count, asking price, and forum host remain undisclosed. ## Key Points - The listing, according to ShinyHunters’ own forum posting, was advertised on a cybercrime forum with sample records posted as evidence. - The listing’s claimed fields include full names and usernames, verified email addresses, dates of birth, membership status and subscription tiers, and 2FA / TOTP enrollment flags. - The breach is unconfirmed, according to NVIDIA’s silence on its security and status channels: NVIDIA has not confirmed anything, and the originating coverage names no specific forum, no record count, and no asking price. - The GeForce NOW status page on May 2, 2026 listed only “Long queue times in GeForce NOW” in the India region and a Call of Duty HQ maintenance item, with no security incident posted. ## What Happened? ShinyHunters posted a listing, claiming to have stolen a **GeForce NOW user database**. The fields, according to ShinyHunters’ description in the original posting, are unusually granular. The group claims the database includes full names and usernames, verified email addresses, dates of birth, membership status and subscription tiers, two-factor / TOTP metadata indicating which accounts have multi-factor authentication enabled, and internal account metadata such as roles and attributes. The 2FA field, according to ShinyHunters’ wording, is described as: 2FA / TOTP Status: Flags showing which accounts have two-factor authentication turned on. The originating coverage names no specific forum, no record count, and no asking price, and references only “**a well-known cybercrime forum**“. ShinyHunters posted sample records as evidence on the forum, a pattern the group has used in earlier listings. > 🚨 Threat actor “ShinyHunters” is claiming to be selling an alleged database linked to NVIDIA’s GeForce NOW platform on a cybercrime forum. > > The actor claims the dataset contains millions of user records, including names, email addresses, usernames, dates of birth, membership… [pic.twitter.com/F8ZuXV2OMF](https://t.co/F8ZuXV2OMF) > > — Dark Web Intelligence (@DailyDarkWeb) [May 2, 2026](https://twitter.com/DailyDarkWeb/status/2050542290532180202?ref_src=twsrc%5Etfw) ## NVIDIA’s Status Channels Are Silent The picture, according to NVIDIA’s own [GeForce NOW status feed](https://status.geforcenow.com/), is narrow. The page on May 2, 2026 showed two active incidents: a “Long queue times in GeForce NOW” item dated May 2, 2026 with status “Monitoring” affecting the India region, and a “Call of Duty HQ in maintenance” item dated April 30, 2026 with status “Investigating”. No security incidents, data breaches, or major service disruptions are reported on the status feed. NVIDIA’s security advisories page on May 2, 2026 carried no 2026 GeForce NOW [data breach](https://sqmagazine.co.uk/data-breach-statistics/) advisory and no ShinyHunters-related incident notice. NVIDIA’s PSIRT moved to publishing security bulletins on [GitHub](https://sqmagazine.co.uk/github-statistics/) in multiple formats starting October 1, 2025. Absence on those channels is not proof that no incident occurred; data-handling incidents flow through PSIRT and customer email. ## Shinyhunters Back in the Limelight ShinyHunters claims to have compromised approximately 100 high-profile companies, and 300 to 400 total breached organizations, since September 2025 by [exploiting misconfigured Salesforce Experience Cloud](https://sqmagazine.co.uk/salesforce-forcedleak-ai-prompt-injection/) guest user access controls on the /s/sfsites/aura API endpoint. According to Wikipedia’s profile of the group, ShinyHunters has been active since 2019 and uses voice phishing and credential-harvesting tactics, often impersonating IT support to obtain SSO credentials. Law enforcement disrupted part of the operation in June 2025, when French authorities arrested four members and Matthew D. Lane pleaded guilty in the U.S. District of Massachusetts. ## What Affected Subscribers Should Do Now? The fields claimed in the listing include names, emails, dates of birth, membership tier, and 2FA enrollment flags. Practical steps for GeForce NOW subscribers include rotating the account password, enabling multi-factor authentication on the NVIDIA account if not already on (rotation helps reduce the risk of credential-stuffing reuse, it does not prevent attacks), and treating any unsolicited email referencing GeForce NOW membership tier or renewal as a phishing vector. ShinyHunters tradecraft frequently includes [voice phishing](https://sqmagazine.co.uk/voice-phishing-statistics/) that impersonates IT support to harvest credentials, so subscribers should also be cautious of phone calls referencing their NVIDIA account. ## SQ Magazine’s Takeaway The Dark web data sale listing belongs to a credible threat actor. Even if the company keeps a mum on the current situation or accusations, it’s important to take matters in your own hands. Subscribers should imediately take all actions to secure their GeForce NOW accounts and avoid taking any suspicious calls pretending to be from GeForce Now team.