In what’s already been a bad week for website security breaches, NVIDIA has announced that they have become the latest victim of hackers looking to steal user credentials. After having taken down a couple of their sub-sites earlier this week due to investigate unusual activity, NVIDIA has discovered that both their Developer Zone and their forums were compromised. Altogether NVIDIA is reporting that an unknown number of accounts among the roughly 400K accounts in their system were compromised, which means it’s safest to assume that all 400K accounts were compromised.
The bad news is that the attackers did get the typical information that most forums store, including:
The relatively good news is that like most forums NVIDIA only stored hashed & salted passwords, so the passwords themselves haven’t been directly compromised. However in the age of GPU computing a hash is only as good as the password behind it, so in the case of bad/weak passwords the attackers can recover those passwords from the stolen hashes without too much effort.
As is common with these types of breaches, NVIDIA is recommending that all users who used the same password elsewhere change their passwords on those sites & services, and to not use the same password in the future. Furthermore with the attackers being in possession of forum usernames and email addresses, users should be on the lookout for phising attacks utilizing that information.
Not without first knowing the salt they can't.
It's very possible that the salt may have also been compromised by the same method used to retrieve the hashes but salts most certainly are meant to be kept secret; at least to the same extent as the hashes themselves.
In cases where a single salt is used to generate multiple hashes
In addition to the salt being possibly unknown the method used to generate the hashes may also be unknown.
Just because it has recently become trivial to brute force short passwords from hashes generated by a couple types of commonly used hashing methods doesn't also make trivial the knowledge of how the hashes were generated and the value of the salt.
Granted, this is a trouble matter and the affected users will need to take stung precautions to prevent further theft of their digital identities.