An investigation by TechPower Up has revealed that user passwords were only stored in NVIDIA’s forum database as raw MD5 hashes without salting.
Shortly after the NVIDIA forum break-in occurred, the company released a statement claiming that all passwords were “hashed passwords with random salt value”.
With salted passwords, an extra layer of security exists because a random number — stored elsewhere — is required to access the encrypted data. This list of random numbers is called a rainbow table. Salting passwords is considered an industry best practice: During the Steam break-in it was revealed that Valve hashes and salts user passwords.
Team Apollo, the hacking clan that breached NVIDIA’s forums, posted a sample of its bounty — one fifth of the list of usernames and passwords — on PasteBin Monday morning. Upon examination of the list, TechPower Up, noticed that the passwords were stored as raw MD5 hashes which can be easily broken using publicly available pre-encrypted MD5 phrases or, ironically, a CUDA-accelerated MD5 decryption tool.
To make matters worse, Team Apollo has revealed that it has penetrated deeper into NVIDIA’s network than just the forum.
“But let’s put this in perspective, this is only a forum hack,” according to a note included in the Pastebin post. “I am actually suprised [sic] nVidia decided to even disclose that they’d been hacked quite a few weeks ago … It did take them a while though. We aren’t acting extremely maliciously, we’ve used this database to target disgusting corporations who deserve to be brought to justice … and we are getting there, slowly but surely.”
NVIDIA has not responded to Hardware Canucks’ request for comment at this time.