OpenAI Investigates Claims of 20 Million User Credentials for Sale, No Evidence of Breach Found

Hackers offer 20 million OpenAI credentials for sale, but it says there's no evidence of a breach

OpenAI says its investigation has found no evidence of a compromise A hacker claims to be selling the login credentials of 20 million OpenAI users accounts - but the company says its own investigation has found no evidence of a hack. A report from Malwarebytes Labs discovered a cybercriminal who goes by the name 'emirking' had listed a dataset for sale on a cybercrime forum claiming to contain, '20 million access codes to OpenAI accounts'. OpenAI responded, stating, "We take these claims seriously. We have not seen any evidence that this is connected to a compromise of OpenAI systems to date." Breaches like these can have catastrophic consequences for both the company and the users, but there are a few red flags that point to this incident being less than genuine, here's what we know. In Malwarebytes Lab's initial report, there was some doubt cast over the origins of the information, with the report outlining "It seems unlikely that such a large amount of credentials could be harvested in phishing operations against users, so if the claim is true, emirking may have found a way to compromise the auth0.openai.com subdomain by exploiting a vulnerability or by obtaining administrator credentials." The report also pointed out that the cybercriminal allegedly responsible for the leak was a relatively new user of the forums - which wouldn't mean much on its own, but KELA cybersecurity also assessed the available data, and concluded the credentials were obtained via infostealer malware. The analyzed sample by KELA showed the compromised logins related to OpenAI services, and contained authentication details to 'auth0.openai.com'. The security researchers then cross-referenced these details with its own data lake of "compromised accounts obtained from infostealer malware, which contains more than a billion records, including over 4 million bots collected in 2024." "All credentials from the sample shared by the actor 'emirking' were found to originate in these compromised accounts, likely hinting at the source of the full 20 million OpenAI accounts that the actor intends to sell," the security company confirmed. Ultimately, the investigation concluded, "the majority of compromised credentials of OpenAI services offered for sale on BreachForums by emirking are not related to a breach of OpenaAI systems." The credentials were deemed to be a part of a larger dataset "scraped from a mix of private and public sources that sell and share infostealer logs" - not from an unreported compromise. No matter how the leaked credentials were acquired, anyone who has had their details leaked is at risk. The primary danger with this incident is social engineering attacks and identity theft. Because many users of AI chatbots will (sometimes unwittingly) hand over personal information, anyone with access to their accounts could use the compromised email address to engineer personal and specific phishing attacks designed to steal even more information. Just asking a chatbot for restaurant recommendations in your city, advice on budgeting, or work-specific questions or summaries can give attackers all the information they need to craft a convincing way to reach out pretending to be a colleague, trusted company, friend, or family member. Being vigilant is the most effective way to combat this. Don't give out any information to an unknown person or unexpected contact that you haven't thoroughly vetted first, and make sure not to click any links you don't 100% trust. Make sure to also create a strong and secure password, and it's important that you do not reuse passwords from one site to another - this helps by quarantining any account that has been breached. It's a similar process when mitigating the risk of identity theft. Keeping an eye on your accounts, statements, and bills to make sure there's nothing you don't recognize, and let your bank know immediately if there is anything suspicious. We've also listed some software which can essentially do the work for you, monitoring your credit files, warning about suspicious activity, and alerting you if any personal information is used (such as new bank accounts being opened in your name). Some even offer identity recovery and insurance policies up to $1 million, so check out our picks for best identity theft protection for families if you're concerned about your information.

20 million OpenAI users hacked? Here's how to stay safe, just in case

Have you ever tried ChatGPT? You may want to take a quick moment to freshen up your account's security. A Russian hacker is claiming to have login data for over 20 million OpenAI users -- and the information includes email addresses and passwords. On Friday, samples of OpenAI logins emerged on the dark web, along with an offer to sell the full trove of data. Currently, OpenAI says it has not yet found evidence of compromised systems (as per The Independent). However, don't take that as a sign that everything's fine. Given the potential sensitive information that could be exposed if this is true, responding proactively now is a safe move. (Not sure what could put you at risk if you wait to see what happens? For starters, OpenAI's ChatGPT chatbot undoubtedly contains sensitive data in saved user queries, including financial and medical information. Such information could be used in targeted phishing campaigns -- which, due to the use of AI services like those provided by OpenAI, have become dramatically more sophisticated in a very short period. Most users aren't yet expecting the new level of personalization in scam attempts.) Until OpenAI's investigation is complete, you can take several proactive steps: If you reuse passwords or use very similar passwords across sites, also change your password on any other services where there's overlap. To enable 2FA and log out of all devices, you must log into your account, then go to Settings. To reset your password, you must use the "Reset password" link on the login page. Unfortunately, big data breaches affecting major services aren't unusual -- which is why you should treat this claim with some seriousness. And, in general, bolster your security practices for 2025. You don't need to keep track of all your unique login details, either. Passkeys and a password manager will help you stay on top of it all, with little extra effort needed on your part.

OpenAI Hack? AI Giant Investigating Claim of 20 Million Stolen User Credentials - Decrypt

OpenAI says it's investigating after a hacker claimed to have swiped login credentials for 20 million of the AI firm's user accounts -- and put them up for sale on a dark web forum. The pseudonymous breacher posted a cryptic message in Russian advertising "more than 20 million access codes to OpenAI accounts," calling it "a goldmine" and offering potential buyers what they claimed was sample data containing email addresses and passwords. As reported by Gbhackers, the full dataset was being offered for sale "for just a few dollars." "I have over 20 million access codes for OpenAI accounts," emirking wrote Thursday, according to a translated screenshot. "If you're interested, reach out -- this is a goldmine, and Jesus agrees." If legitimate, this would be the third major security incident for the AI company since the release of ChatGPT to the public. Last year, a hacker got access to the company's internal Slack messaging system. According to The New York Times, the hacker "stole details about the design of the company's A.I. technologies." Before that, in 2023 an even simpler bug involving jailbreaking prompts allowed hackers to obtain the private data of OpenAI's paying customers. This time, however, security researchers aren't even sure a hack occurred. Daily Dot reporter Mikael Thalan wrote on X that he found invalid email addresses in the supposed sample data: "No evidence (suggests) this alleged OpenAI breach is legitimate. At least two addresses were invalid. The user's only other post on the forum is for a stealer log. Thread has since been deleted as well." In a statement shared with Decrypt, an OpenAI spokesperson acknowledged the situation while maintaining that the company's systems appeared secure. "We take these claims seriously," the spokesperson said, adding: "We have not seen any evidence that this is connected to a compromise of OpenAI systems to date." The scope of the alleged breach sparked concerns due to OpenAI's massive user base. Millions of users worldwide rely on the company's tools like ChatGPT for business operations, educational purposes, and content generation. A legitimate breach could expose private conversations, commercial projects, and other sensitive data. Until there's a final report, some preventive measures are always advisable: