NVIDIA staff shouldn’t have chosen passwords like these…

NVIDIA staff passwords cracked and found woeful

Last month, the LAPSUS$ hacking group stole up to one terabyte of internal data from graphics card maker NVIDIA.

The hackers claimed to steal source code from the GPU chip manufacturer, as well as the email addresses and password hashes of some 71,335 employees.

Obviously, any theft of data is not good news. And to make matters worse, many of the passwords were subsequently cracked and circulated via hacking forums.

Sign up to our free newsletter.
Security news, advice, and tips.

Of course, you would hope that any sensible NVIDIA employee would have chosen a sensible hard-to-crack password, and ensured that they weren’t using the same password anywhere else on the internet.

That, after all, is the advice the computer-using public has been given for years now to reduce the potential impact of any password data breach.

So, I wonder what the most common passwords might be that were used by the breached NVIDIA employees? An analysis by Specops Software of 30,000 of the leaked passwords found that these were the top 10 base words:

  1. nvidia
  2. nvidia3d
  3. mellanox
  4. ready2wrk
  5. welcome
  6. password
  7. mynvidia3d
  8. nvda
  9. qwerty
  10. september

Oh dear. Somehow I don’t think you would need to use a powerful NVIDIA GPU for very long to crack that motley collection.

Companies need to adopt better enforcement policies for employee passwords to protect users from making bad decisions. The use of obvious words like “nvidia”, “password”, and “qwerty” should have never been allowed by NVIDIA.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “NVIDIA staff shouldn’t have chosen passwords like these…”

  1. Phil Phillips

    Decades ago the IBM main-frame password rules options included enforced non-reuse, construction and duration rule options – so, as login admin we could enforce some level of security of passwords BUT Senior management couldn't be bothered with any serious strength being enforced AND turned a blind eye to staff in a 24/7 banking ops centre sharing Ids – eventually spotted by auditing log-in/out durations (in weeks in some cases). Surely some comparable functionality can be implemented in modern operating systems BUT again it is up to the senior management to insist the rules are appropriate and applied.

  2. Leo

    2FA needs to be mandatory for everything. We can’t fix dumb and that is what this was DUMB.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.