The hacking group that claims to have taken a terabyte of data from chipmaking giant Nvidia is threatening to release the company’s “most closely-guarded secrets” today unless it meets the gang’s increasingly bizarre demands.
The Lapsus$ hacking group, which first claimed responsibility for the data breach last week, has already started leaking data. According to a data breach monitoring website, Have I Been Pwned, the hackers stole the credentials of more than 71,000 Nvidia employees. The data includes email addresses and Windows password hashes, according to HIBP, “many of which were subsequently cracked and circulated within the hacking community.”
While Nvidia previously confirmed that employee credentials were taken in the attack, the company declined to ensure whether it has notified those affected or forced password resets for compromised accounts. Despite the increasing fallout from the incident — and the hacking group’s looming deadline — Nvidia’s incident response page has not been updated since Tuesday.
The hackers now threaten to release Nvidia’s trade secrets, including schematics, source code, and information on recent Nvidia graphics chips, including the as-yet-unannounced RTX 3090 Ti, unless Nvidia meets the group’s unusual demands. The group called on Nvidia to remove its controversial Lite Hash Rate (LHR) feature, which limits the Ethereum mining capabilities of its RTX 30 series graphics cards. This feature was introduced in early-2021 in response to having its stock depleted by the crypto-mining community, making it impossible for gamers to get their hands on the new graphics cards.
“We want Nvidia to push an update for all 30 series firmware that removes every LHR limitation. Otherwise, we will leak [the hardware] folder,” said the Lapsus$ group on Telegram. “If they remove the LHR, we will forget about [the] folder… We both know LHR impacts mining and gaming.”
Earlier this week, Lapsus$ added another unusual demand: it wants Nvidia to open source its graphics chip drivers for macOS, Windows, and Linux devices. The group gave Nvidia until March 4 — today — to comply.