A GeForce NOW data breach has been confirmed by NVIDIA, exposing personal information belonging to users of the cloud gaming service in Armenia. The incident did not touch NVIDIA’s own global infrastructure, but it has put a spotlight on the security risks that come with the company’s regional partner model.
What Happened
The breach originated at GFN.am, a third-party company that operates GeForce NOW as a regional Alliance partner in Armenia. Alliance partners run their own independent systems, including local authentication, customer databases, and billing platforms. That independence means NVIDIA’s core network stays separate, but it also means those partner environments sit outside NVIDIA’s direct security oversight.
GFN.am confirmed that attackers accessed its systems between March 20 and March 26, 2026. Users who had registered on or before March 9, 2026 are potentially affected. Anyone who signed up after that date is not impacted, according to GFN.am’s own disclosure.
NVIDIA confirmed the incident and stated: “Our investigation found no impact on NVIDIA-operated services. The issue is limited to systems run by a third-party GeForce NOW Alliance partner based in Armenia. We are working closely with the partner to support their investigation and resolution. Impacted users will be notified by GFN.am.”
What Data Was Exposed
The GeForce NOW data breach exposed a range of personally identifiable information. According to GFN.am’s disclosure, the compromised data includes:
- Full names (for users authenticated via Google)
- Email addresses
- Usernames
- Dates of birth
- Phone numbers (for users who registered via mobile operator)
- Membership status
- 2FA and TOTP status
Passwords were not compromised. Payment data was also not affected. However, the combination of data types exposed is enough to cause real harm.
The inclusion of 2FA status is particularly significant. Attackers can use that information to filter stolen records and identify accounts without two-factor authentication enabled. That makes follow-on attacks, such as credential stuffing and account takeover attempts, more targeted and efficient. Membership status also gives attackers useful context for social engineering.
The ShinyHunters Claim
Before NVIDIA confirmed the breach, a threat actor using the ShinyHunters name posted on a hacker forum claiming to have stolen millions of GeForce NOW user records. The post included sample data and listed the full database for sale at $100,000 in Bitcoin or Monero.
NVIDIA’s confirmation significantly narrowed the scope of that claim. The breach is not global. It is confined to GFN.am’s systems in Armenia. Crucially, the actor behind the forum post is believed to be an impersonator, not the real ShinyHunters group. The post has since been removed, and it is unclear whether the database was sold or whether the listing was taken down by the seller or forum administrators.
Why the Partner Model Matters
GFN.am does not only serve Armenia. The company also manages GeForce NOW operations in Azerbaijan, Georgia, Kazakhstan, Moldova, Ukraine, and Uzbekistan. So far, no impact has been confirmed in any of those countries. The breach appears to be limited to Armenian users.
Even so, the incident reveals something worth understanding about how cloud gaming services are structured. When a global brand licenses its platform to regional operators, each of those operators becomes an independent point of failure. They manage their own user data, their own security controls, and their own incident response. A compromise at one of those partners can expose users who believe they are dealing with a major company, without that company’s infrastructure ever being touched.
GFN.am says it took immediate steps to lock down its systems following the incident and is working to harden its security going forward.
What Affected Users Should Do
If you used GeForce NOW through GFN.am and registered before March 9, 2026, there are several steps worth taking now.
- First, monitor your email for phishing attempts. Your email address was likely exposed, and attackers may use it for targeted scam messages. Be skeptical of any email that references your GeForce NOW account, asks you to verify details, or directs you to a login page.
- Second, if you do not already have two-factor authentication enabled on your GeForce NOW account, enable it. Given that 2FA status was part of the exposed data, accounts without it are easier targets.
- Third, if you reused your GFN.am password on any other service, change those passwords. Even though passwords were not part of this breach, reused credentials remain one of the most common entry points for account takeovers.
GFN.am has stated it will notify impacted users directly, so keep an eye on any official communication from the platform.
Final Thoughts
The GeForce NOW data breach is a contained incident by most measures. NVIDIA’s global systems were not affected, passwords were not stolen, and the attacker’s identity remains unverified. But it is a clear example of how third-party partnerships can create security gaps that no amount of investment in a company’s own infrastructure can fully close. For the Armenian users whose data was exposed, the risk is real, even if the scale is limited. Staying alert to phishing and securing accounts with two-factor authentication are the most practical steps anyone in the affected group can take right now.
