Monday, July 16th 2012

NVIDIA Forums Hack: Passwords Not Salted

by
btarunr
 Discuss (55 Comments)
A group of hackers that claimed responsibility for hacking NVIDIA forums (forums.nvidia.com), which goes by the name "Team Apollo," posted the first piece of its exploits on Pastebin (find it here). The user data dump contains details of every fifth user of the forums. From what we can tell looking at the pasted data (which is now very much in the public domain), the passwords found in the user tables are not salted. NVIDIA was less than honest about that part.

The passwords are stored as raw MD5 hashes, which can be fairly-easily decrypted (when compared to hashes with salt values). To make matters worse, certain MD5 decryption websites have large databases of pre-decrypted MD5 phrases, potentially making decryption these hashes easy. Or you could just use a CUDA-accelerated MD5 decryption tool, which munches through unsalted MD5 hash values at the speed of a small supercomputer. If you have an NVIDIA Forums account, and your passwords on other websites (forums, email accounts, banks) even remotely resemble that of your NVIDIA forums account, it is strongly recommended that you change your passwords on each of those other websites.

Related News

Add your own comment

55 Comments on NVIDIA Forums Hack: Passwords Not Salted

#26
newtekie1
Semi-Retired Folder
OberonDo they really need justification after stealing them in the first place? Looks like they kind of threw that whole "integrity" thing out the window already.
It might sound backwards, but some hackers do have integrity. Some hack into somewhere just to do it, then alert whoever they hacked to inform them how they did it so their security can be strengthened.

Though the people that hacked nVidia were obviously just doing it to be dicks.
Posted on Reply
#27
GSquadron
First of all, if i hack a password, i never tell anyone i stole (hacked) the password. I never use it to block their account
No matter what would be my 'nickname'
This all was made and payed very well to the programmers who cracked the forum for just that script in the pastebin. Read what they wrote very well. (i am referring to all)
That is the true reason why they hacked the forum.
Bear in mind that no matter how much i 'love god' i am never going to pay a hacker to hack nvidia forums. So the real reason, is to make you believe that these GREAT HACKERS, achieved that greatness on what they wrote on pastebin. It is just like phishing mind. The hack was payed very well. There is no real reason why the Apollo would hack the forum.
Why exactly Nvidia? What is the real matter? If you find this, you will surely find the next hacking, not only on internet, but in real life!

Actually reading it again, why apollo? Really he says religion and political and other stuff? Where is the real name he should have used?
(You know what i am talking about)
Posted on Reply
#28
tacosRcool
good thing I don't have an account there!
Posted on Reply
#29
TheMailMan78
Big Member
newtekie1It might sound backwards, but some hackers do have integrity. Some hack into somewhere just to do it, then alert whoever they hacked to inform them how they did it so their security can be strengthened.

Though the people that hacked nVidia were obviously just doing it to be dicks.
I agree. But with that being said such hackers don't brag. The ones that brag are dicks as you said.
Posted on Reply
#30
KissSh0t
All I can say to "Team Apollo" is....

0101100101101111011101010010000001110000011000010111010001101000011001010111010001101001011000110010000001101000011000010110001101101011011001010111001000100000011100110110001101110101011011010010110000100000011001110110111100100000011100000110110001100001011110010010000001110111011010010111010001101000001000000111001101101111011011010110010101110100011010000110100101101110011001110010000001100101011011000111001101100101001000000110110001101001011010110110010100100000010100110110111101101110011110010010000001101111011100100010000001010101011000100110100101110011011011110110011001110100001011100010111000101110
Posted on Reply
#31
Disruptor4
tacosRcoolgood thing I don't have an account there!
I don't remember if I do or not. Is there a way to find out?
Posted on Reply
#32
theJesus
johnnyfiivePfft. I use 'passw0rd' and never have been hacked. [0_o]/
Apparently you don't use that for here. :p
pantherx12Is anyone elses Techpowerup password techpowerup.....
Apparently not you. :p
Disruptor4I don't remember if I do or not. Is there a way to find out?
One would hope that they'd send an email to anybody with an account warning them to change their passwords . . .
Posted on Reply
#33
Disruptor4
KissSh0tAll I can say to "Team Apollo" is....

0101100101101111011101010010000001110000011000010111010001101000011001010111010001101001011000110010000001101000011000010110001101101011011001010111001000100000011100110110001101110101011011010010110000100000011001110110111100100000011100000110110001100001011110010010000001110111011010010111010001101000001000000111001101101111011011010110010101110100011010000110100101101110011001110010000001100101011011000111001101100101001000000110110001101001011010110110010100100000010100110110111101101110011110010010000001101111011100100010000001010101011000100110100101110011011011110110011001110100001011100010111000101110
What's wrong with Ubi?
theJesusOne would hope that they'd send an email to anybody with an account warning them to change their passwords . . .
One would hope so... and I think they are/have. Just haven't received one yet so yeah.
Posted on Reply
#34
KissSh0t
Disruptor4What's wrong with Ubi?
Not allowing me to play the game I bought for my laptop where I don't have constant internet access.. lol.

Interesting Sony wasn't mentioned xD
Posted on Reply
#35
TRWOV
W1zzardI use asdfgh and variations on many sites that want me to register for some lame reason and I don't want to give them any hints of my real passwords
:laugh: I use akjwss (an old Geocities isued password) for the same reason. I must have 30-40 forum accounts with that password (pro tip: my user name for those isn't TRWOV either) :cool:
Posted on Reply
#36
Mussels
Freshwater Moderator
actually, techpowerup has some cool password theft protection technology.


if you type your password, it appears in plain text to you, and asterisks to everyone else:


Mussels
***********
Posted on Reply
#37
TRWOV
wow it's true

TRWOV
******************
Posted on Reply
#38
theJesus
Musselsactually, techpowerup has some cool password theft protection technology.


if you type your password, it appears in plain text to you, and asterisks to everyone else:


Mussels
***********
lemme try that:

*********
Posted on Reply
#39
TRWOV
I feel safer already :toast:
Posted on Reply
#41
jigar2speed
remixedcatthe password is:
bellybutton
Thanks i have you now :laugh:
Posted on Reply
#42
Ikaruga
Guys, I was talking to someone at Nvidia yesterday, and he told me that the software they use doesn't even has an option to store the passwords in plain md5, and they are all salted. I understand this is something Nvidia would not rush to admit, but do you think it's possible that the pastebin info is fake?
Posted on Reply
#43
GSquadron
Really stupid. I was learning today that passwords with sha1 are extremely easy to implement, though they didn't waste money on their website.
And even want to earn millions!
Posted on Reply
#44
Mussels
Freshwater Moderator
IkarugaGuys, I was talking to someone at Nvidia yesterday, and he told me that the software they use doesn't even has an option to store the passwords in plain md5, and they are all salted. I understand this is something Nvidia would not rush to admit, but do you think it's possible that the pastebin info is fake?
entirely possible.
Posted on Reply
#45
Disparia
The notice is still up: www.nvidia.com/content/forums/index.html

If faked, it would have taken less than 5 minutes for nVidia to discredit the hacking. So it's either real and they're investigating how it happened... or it's an nVidia plot to frame Apollo!
Posted on Reply
#46
TheMailMan78
Big Member
JizzlerThe notice is still up: www.nvidia.com/content/forums/index.html

If faked, it would have taken less than 5 minutes for nVidia to discredit the hacking. So it's either real and they're investigating how it happened... or it's an nVidia plot to frame Apollo!
Yes I'm sure its a vast conspiracy to frame Team Apollo. I can see it all now. Jen-Hsun dressed up like M. Bison from Street Fighter telling his minions to frame and stop Team Apollo and all their righteous endeavors to bring down evil corporations via the Nvidia forums. MASTER PLAN INDEED.
Posted on Reply
#47
Aquinus
Resident Wat-man
Aleksander DishnicaReally stupid. I was learning today that passwords with sha1 are extremely easy to implement, though they didn't waste money on their website.
And even want to earn millions!
They do use a hashing algorithm, but what good is the hash if you're not salting the password. It doesn't take a lot of brute force power for a short password like "foobarpass," you add a salt to make it something like, "supersaltfoobarpasssuperpepper," that is much harder to brute force.

You also don't need to implement SHA1, many languages already have functions or classes and methods that handle hashing.
Posted on Reply
#48
claylomax
newtekie1OMG! That is the combination to my luggage!
Priceless! :D
Posted on Reply
#49
Kreij
Senior Monkey Moderator
AquinusThey do use a hashing algorithm, but what good is the hash if you're not salting the password. It doesn't take a lot of brute force power for a short password like "foobarpass," you add a salt to make it something like, "supersaltfoobarpasssuperpepper," that is much harder to brute force.
That has got to be the worst example of what using a random salt does to a password that I've ever seen. :laugh:

But you are right, Aquinus, salting makes it a lot harder to crack as well as using other things like multiple passes of encryption in combination with salts.

That being said, if you use a strong password and it's not salted, it still will have to be brute forced which is quite time consuming even with very powerful hardware.
Posted on Reply
#50
Widjaja
Unsalted hash passwords.....
Posted on Reply
Add your own comment
Jun 14th, 2025 15:48 CDT change timezone

Latest GPU Drivers

New Forum Posts

Popular Reviews

TPU on YouTube

Controversial News Posts