NVIDIA Confirms GeForce NOW Partner Breach Affecting Armenian Users

A data breach at GFN.AM, an authorized GeForce NOW cloud gaming service provider in Armenia, exposed personal information belonging to registered users. NVIDIA confirmed on May 5 that its own infrastructure wasn't compromised, though users who signed up through the Armenian partner have had their data exposed since early March.

The breach disclosure comes amid ShinyHunters' ongoing education sector attacks, though NVIDIA suggests the actor claiming credit for this breach may be an imposter rather than the actual ShinyHunters collective.

What Happened

GFN.AM disclosed on May 5 that unauthorized actors accessed their database on March 9, 2026. The intrusion went undetected until May 2—a 54-day window during which attackers had access to user records.

The exposed data includes:

• Email addresses
• GFN.AM account usernames
• Dates of birth
• Phone numbers (for users who registered via mobile carrier)
• Real names (for users who used Google single sign-on)

Passwords were not stored in plain text and were not compromised. Users who registered after March 9 are not affected.

NVIDIA's Response

NVIDIA moved quickly to clarify that the breach was limited to GFN.AM's systems. In a statement to VideoCardz, the company emphasized that its own infrastructure remained secure and that GeForce NOW users in other regions were unaffected.

This distinction matters because NVIDIA licenses the GeForce NOW service to regional partners who operate their own infrastructure. GFN.AM serves users in Armenia and nearby regions who want lower latency than connecting to NVIDIA's European data centers would provide.

The partner model creates a fragmented security landscape. NVIDIA can enforce requirements in licensing agreements, but doesn't directly control partner security practices. When a regional operator gets breached, it's technically not NVIDIA's breach—but users may not appreciate that distinction.

The ShinyHunters Question

Someone claiming to be ShinyHunters posted the breach data on hacker forums. NVIDIA told reporters they believe this may be an imposter rather than the actual group.

ShinyHunters has been extremely active this year, including the ADT breach affecting 5.5 million customers and the Canvas/Instructure attack that exposed data from 275 million students and teachers. The group's high profile makes impersonation attractive—other actors can ride the reputation while ShinyHunters absorbs the attention.

Whether genuine or impersonation, the breach data is real. GFN.AM users should assume their information has been circulating in underground markets since March.

What Affected Users Should Do

GFN.AM hasn't disclosed the total number of affected accounts, but users who registered before March 9, 2026, should take precautions:

1. Watch for phishing - The exposed email addresses and real names enable targeted phishing campaigns. Be skeptical of messages claiming to be from NVIDIA, GFN.AM, or cloud gaming services
2. Check for credential reuse - If you used the same email and password combination elsewhere, change those passwords now
3. Monitor for identity theft - Dates of birth combined with names and emails provide enough information for basic identity verification bypass
4. Expect spam - Phone numbers and emails will likely end up in spam databases

For users wondering how to recognize phishing attempts that might leverage this data, our guide on real-world phishing examples covers common tactics and red flags.

Why This Matters

Cloud gaming services collect more user data than traditional game purchases. Account registration, payment processing, and session telemetry create rich profiles that attract attackers. The distributed partner model that enables regional service also creates additional attack surface outside the primary vendor's control.

This breach is relatively small compared to the Canvas incident affecting 275 million users or the ongoing cPanel ransomware fallout. But for Armenian gamers who trusted GFN.AM with their personal information, the scale of the breach industry matters less than the fact that their data is now circulating among threat actors.

NVIDIA's licensing agreements may include security requirements for partners. Whether those requirements are sufficient, and whether GFN.AM was compliant, remain open questions.