Last month, the LAPSUS$ hacking group stole up to one terabyte of internal data from graphics card maker NVIDIA.
The hackers claimed to steal source code from the GPU chip manufacturer, as well as the email addresses and password hashes of some 71,335 employees.
Obviously, any theft of data is not good news. And to make matters worse, many of the passwords were subsequently cracked and circulated via hacking forums.
Of course, you would hope that any sensible NVIDIA employee would have chosen a sensible hard-to-crack password, and ensured that they weren’t using the same password anywhere else on the internet.
That, after all, is the advice the computer-using public has been given for years now to reduce the potential impact of any password data breach.
So, I wonder what the most common passwords might be that were used by the breached NVIDIA employees? An analysis by Specops Software of 30,000 of the leaked passwords found that these were the top 10 base words:
Oh dear. Somehow I don’t think you would need to use a powerful NVIDIA GPU for very long to crack that motley collection.
Companies need to adopt better enforcement policies for employee passwords to protect users from making bad decisions. The use of obvious words like “nvidia”, “password”, and “qwerty” should have never been allowed by NVIDIA.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
2 comments on “NVIDIA staff shouldn’t have chosen passwords like these…”
Decades ago the IBM main-frame password rules options included enforced non-reuse, construction and duration rule options – so, as login admin we could enforce some level of security of passwords BUT Senior management couldn't be bothered with any serious strength being enforced AND turned a blind eye to staff in a 24/7 banking ops centre sharing Ids – eventually spotted by auditing log-in/out durations (in weeks in some cases). Surely some comparable functionality can be implemented in modern operating systems BUT again it is up to the senior management to insist the rules are appropriate and applied.
2FA needs to be mandatory for everything. We can’t fix dumb and that is what this was DUMB.