- A hacker has allegedly listed 20 million OpenAI logins for sale
- However the origins of these credentials are disputed
- OpenAI says its investigation has found no evidence of a compromise
A hacker claims to be selling the login credentials of 20 million OpenAI users accounts – but the company says its own investigation has found no evidence of a hack.
A report from Malwarebytes Labs discovered a cybercriminal who goes by the name ‘emirking’ had listed a dataset for sale on a cybercrime forum claiming to contain, ‘20 million access codes to OpenAI accounts’.
OpenAI responded, stating, “We take these claims seriously. We have not seen any evidence that this is connected to a compromise of OpenAI systems to date.” Breaches like these can have catastrophic consequences for both the company and the users, but there are a few red flags that point to this incident being less than genuine, here’s what we know.
An unlikely story?
In Malwarebytes Lab’s initial report, there was some doubt cast over the origins of the information, with the report outlining
“It seems unlikely that such a large amount of credentials could be harvested in phishing operations against users, so if the claim is true, emirking may have found a way to compromise the auth0.openai.com subdomain by exploiting a vulnerability or by obtaining administrator credentials.”
The report also pointed out that the cybercriminal allegedly responsible for the leak was a relatively new user of the forums – which wouldn’t mean much on its own, but KELA cybersecurity also assessed the available data, and concluded the credentials were obtained via infostealer malware.
The analyzed sample by KELA showed the compromised logins related to OpenAI services, and contained authentication details to ‘auth0.openai.com’.
The security researchers then cross-referenced these details with its own data lake of “compromised accounts obtained from infostealer malware, which contains more than a billion records, including over 4 million bots collected in 2024.”
“All credentials from the sample shared by the actor ‘emirking’ were found to originate in these compromised accounts, likely hinting at the source of the full 20 million OpenAI accounts that the actor intends to sell,” the security company confirmed.
Ultimately, the investigation concluded, “the majority of compromised credentials of OpenAI services offered for sale on BreachForums by emirking are not related to a breach of OpenaAI systems.”
The credentials were deemed to be a part of a larger dataset “scraped from a mix of private and public sources that sell and share infostealer logs” – not from an unreported compromise.
Staying safe
No matter how the leaked credentials were acquired, anyone who has had their details leaked is at risk. The primary danger with this incident is social engineering attacks and identity theft.
Because many users of AI chatbots will (sometimes unwittingly) hand over personal information, anyone with access to their accounts could use the compromised email address to engineer personal and specific phishing attacks designed to steal even more information.
Just asking a chatbot for restaurant recommendations in your city, advice on budgeting, or work-specific questions or summaries can give attackers all the information they need to craft a convincing way to reach out pretending to be a colleague, trusted company, friend, or family member.
Being vigilant is the most effective way to combat this. Don’t give out any information to an unknown person or unexpected contact that you haven’t thoroughly vetted first, and make sure not to click any links you don’t 100% trust.
Make sure to also create a strong and secure password, and it’s important that you do not reuse passwords from one site to another – this helps by quarantining any account that has been breached.
It’s a similar process when mitigating the risk of identity theft. Keeping an eye on your accounts, statements, and bills to make sure there’s nothing you don’t recognize, and let your bank know immediately if there is anything suspicious.
We’ve also listed some software which can essentially do the work for you, monitoring your credit files, warning about suspicious activity, and alerting you if any personal information is used (such as new bank accounts being opened in your name). Some even offer identity recovery and insurance policies up to $1 million, so check out our picks for best identity theft protection for families if you’re concerned about your information.
