Advanced Micro Devices Inc. is investigating a potential data breach after a hacking group claimed to have stolen 450 gigabytes of data from the chipmaker.

The stolen data claim comes from a hacking group calling itself RansomHouse. The group claims on its darknet site that it breached AMD on Jan. 5 and got the data thanks to the use of weak passwords throughout the organization.

The use of weak passwords was front and center of a rather long and colorful message left written by RandomHouse.

“An era of high-end technology, progress and top security… there’s so much in these words for the crowds. But it seems those are still just beautiful words when even technology giants like AMD use simple passwords to protect their networks from intrusion,” RansomHouse wrote. “It is a shame those are real passwords used by AMD employees, but a bigger shame to AMD Security Department which gets significant financing according to the documents we got our hands on — all thanks to these passwords.”

Restore Privacy examined a data sample of the allegedly stolen data and found that it included network files, systems information and AMD passwords. The data in the sample does appear to have been stolen from AMD.

AMD said in a statement that it is aware of a bad actor claiming to be in possession of stolen data and that an investigation is currently underway.

“AMD, and any high-tech company, should require phishing-resistant multifactor authentication for all logins, or if MFA cannot be used, require strong and unique passwords,” Roger Grimes, data-driven defense evangelist at security awareness training company KnowBe4 Inc., told SiliconANGLE. “Any lesser practice without sufficient offsetting controls would be considered by most computer security experts as negligence.”

Saryu Nayyar, founder and chief executive officer of unified security and risk analysis company Gurucul Solutions Pvt Ltd A.G., noted that AMD survived the global chip supply chain crisis during the COVID-19 pandemic only to be victimized by ransomware from a new data extortion group.

“Doubling down on irony is that AMD staff used ‘password’ as the password for critical network access,” Gurucul added. “How does this still happen in companies with security-savvy engineers? It’s beyond comprehension, quite frankly. Time to spin all the passwords and clean up security controls. Seriously, it’s time.”

Photo: Domas Mituzas/Wikimedia Commons