A cybercriminal has reportedly put 20 million OpenAI user login credentials and samples of the stolen data up for sale. The hacker known as "emirking" has issued a statement that claims that the cybercriminal may have found a way to bypass the platform's authentication systems, potentially by exploiting a vulnerability or obtaining administrator credentials. This raises concerns about the security of OpenAI user accounts.
In the statement, (translated from Russian by Malwarebytes), the hacker said: ““When I realized that OpenAI might have to verify accounts in bulk, I understood that my password wouldn’t stay hidden. I have more than 20 million access codes to OpenAI accounts. If you want, you can contact me—this is a treasure.”
According to a report by Malwarebytes, such a large number of credentials may not have been harvested solely through

phishing attacks

on users. However, If the hacker's claim is accurate, Emirking may have discovered a way to compromise the auth0.openai.com subdomain, either by exploiting a vulnerability or by obtaining administrator credentials. However, OpenAI has to yet to officially address the hacker’s claims.

Stolen OpenAI credentials could potentially allow cyber criminals to access sensitive user information, leading to targeted phishing campaigns and financial fraud. Additionally, the credentials could be used to exploit the

OpenAI API

, forcing victims to pay for unauthorized usage of premium features. However, some users on the dark web forum where the credentials were shared have claimed that they do not provide access to ChatGPT conversation history.

Users are advised to change their passwords, enable

multi-factor authentication

and monitor their accounts for any suspicious activity. It is also important to be vigilant against phishing attempts that may leverage stolen information.
BreachForums, the dark web platform where the credentials were reportedly offered, is currently offline, preventing immediate verification of the claims. However, users can also utilise online tools like Malwarebyte’s Digital Footprint scan to check for exposed personal data.