A hacker has surfaced online, claiming to sell login credentials of 20 million OpenAI user accounts. However, OpenAI insists there is no evidence of a security breach on its systems.
Cybersecurity experts at Malwarebytes Labs uncovered a post on a cybercrime forum by a user known as ‘smirking,’ who alleged they had access to a massive dataset containing millions of OpenAI account details, per Tech Radar’s report.
Despite these claims, OpenAI reassured users that its internal investigation found nothing to suggest its systems had been compromised. While such leaks can have serious consequences, there are several reasons to question this hack’s authenticity.
A suspicious leak
The sheer scale of the supposed leak has raised eyebrows. Malwarebytes Labs noted that collecting 20 million login credentials through phishing alone would be highly unlikely. If the hacker’s claim were valid, they may have exploited a vulnerability in OpenAI’s authentication system or obtained administrator credentials. However, there’s little evidence to back this up.
Security firm KELA analyzed and found that the leaked credentials were linked to OpenAI services but acquired through info stealer malware rather than a direct system breach.
By cross-referencing the data with its vast repository of compromised accounts, KELA determined that these credentials were part of a broader dataset collected from various sources that sell stolen login information. The conclusion? The credentials for sale likely originated from users who had unknowingly had their details stolen by malware rather than from a security failure on OpenAI’s end.
What’s the real risk
Regardless of how these credentials were obtained, affected users could be at risk. The main concern here isn’t just unauthorized access to OpenAI accounts—what can be done with that information? AI chatbot users often enter personal details, whether financial advice, work-related queries, or even simple location-based recommendations.
If a hacker gains access to an account, they can use that information to craft convincing phishing scams, impersonating trusted contacts or companies to extract even more sensitive data.
For instance, if someone frequently asks a chatbot for budgeting tips, an attacker might send them a fake email pretending to be from their bank. Similarly, if a user discusses business topics, the hacker could pose as a colleague or employer. These social engineering tactics are highly effective, making vigilance crucial.
Staying safe online
Even if this leak isn’t tied to an OpenAI security failure, it’s a reminder to take online safety seriously. If you suspect your details might be compromised, updating your password immediately is wise. Cybersecurity experts recommend using unique, complex passwords for each service and enabling two-factor authentication (2FA) whenever possible.
It’s also essential to remain cautious about emails, messages, or suspicious links. If something feels off, verify the sender before clicking on anything or sharing personal information. Monitoring bank statements and online accounts can also help detect unusual activity early.
For those concerned about identity theft, security services track your personal information and alert you to any suspicious activity, including new accounts being opened in your name. Some even offer recovery services and insurance coverage. While this data leak may not have been a direct OpenAI breach, it is another reminder that cybersecurity threats constantly evolve, and staying informed is the best defense.
