Hackers offer 20 million OpenAI credentials for sale, but it says there's no evidence of a breach

SearchGPT OpenAI
(Image credit: Shutterstock / Ascannio)

  • A hacker has allegedly listed 20 million OpenAI logins for sale
  • However the origins of these credentials are disputed
  • OpenAI says its investigation has found no evidence of a compromise

A hacker claims to be selling the login credentials of 20 million OpenAI users accounts - but the company says its own investigation has found no evidence of a hack.

A report from Malwarebytes Labs discovered a cybercriminal who goes by the name ‘emirking’ had listed a dataset for sale on a cybercrime forum claiming to contain, ‘20 million access codes to OpenAI accounts’.

OpenAI responded, stating, “We take these claims seriously. We have not seen any evidence that this is connected to a compromise of OpenAI systems to date.” Breaches like these can have catastrophic consequences for both the company and the users, but there are a few red flags that point to this incident being less than genuine, here’s what we know.

An unlikely story?

In Malwarebytes Lab’s initial report, there was some doubt cast over the origins of the information, with the report outlining

“It seems unlikely that such a large amount of credentials could be harvested in phishing operations against users, so if the claim is true, emirking may have found a way to compromise the auth0.openai.com subdomain by exploiting a vulnerability or by obtaining administrator credentials.”

The report also pointed out that the cybercriminal allegedly responsible for the leak was a relatively new user of the forums - which wouldn’t mean much on its own, but KELA cybersecurity also assessed the available data, and concluded the credentials were obtained via infostealer malware.

The analyzed sample by KELA showed the compromised logins related to OpenAI services, and contained authentication details to ‘auth0.openai.com’.

The security researchers then cross-referenced these details with its own data lake of "compromised accounts obtained from infostealer malware, which contains more than a billion records, including over 4 million bots collected in 2024."

“All credentials from the sample shared by the actor ‘emirking’ were found to originate in these compromised accounts, likely hinting at the source of the full 20 million OpenAI accounts that the actor intends to sell,” the security company confirmed.

Ultimately, the investigation concluded, "the majority of compromised credentials of OpenAI services offered for sale on BreachForums by emirking are not related to a breach of OpenaAI systems."

The credentials were deemed to be a part of a larger dataset "scraped from a mix of private and public sources that sell and share infostealer logs" - not from an unreported compromise.

Staying safe

No matter how the leaked credentials were acquired, anyone who has had their details leaked is at risk. The primary danger with this incident is social engineering attacks and identity theft.

Because many users of AI chatbots will (sometimes unwittingly) hand over personal information, anyone with access to their accounts could use the compromised email address to engineer personal and specific phishing attacks designed to steal even more information.

Just asking a chatbot for restaurant recommendations in your city, advice on budgeting, or work-specific questions or summaries can give attackers all the information they need to craft a convincing way to reach out pretending to be a colleague, trusted company, friend, or family member.

Being vigilant is the most effective way to combat this. Don’t give out any information to an unknown person or unexpected contact that you haven’t thoroughly vetted first, and make sure not to click any links you don’t 100% trust.

Make sure to also create a strong and secure password, and it's important that you do not reuse passwords from one site to another - this helps by quarantining any account that has been breached.

It’s a similar process when mitigating the risk of identity theft. Keeping an eye on your accounts, statements, and bills to make sure there’s nothing you don’t recognize, and let your bank know immediately if there is anything suspicious.

We’ve also listed some software which can essentially do the work for you, monitoring your credit files, warning about suspicious activity, and alerting you if any personal information is used (such as new bank accounts being opened in your name). Some even offer identity recovery and insurance policies up to $1 million, so check out our picks for best identity theft protection for families if you’re concerned about your information.

You might also like

TOPICS
Ellen Jennings-Trace
Staff Writer

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
Shadowed hands on a digital background reaching for a login prompt.
Private API keys and passwords found in AI training dataset - nearly 12,000 details leaked
Sam Altman and OpenAI
Open AI bans multiple accounts found to be misusing ChatGPT
Representational image of a cybercriminal
Criminals are spreading malware disguised as DeepSeek AI
A person using DeepSeek on their smartphone
DeepSeek ‘incredibly vulnerable’ to attacks, research claims
A phone showing the DeepSeek app in front of the Chinese flag
OpenAI says DeepSeek used its models illegally, and it has evidence to prove it, new report claims
Someone holding a passport with two boarding passes inside it
Top digital loan firm security slip-up puts data of 36 million users at risk
Latest in Security
An American flag flying outside the US Capitol building against a blue sky
Sean Plankey selected as CISA director by President Trump
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
Nation-state threats are targeting UK AI research
Scam alert
Fake jobs and phone calls: How Americans lost $12.5 bn to fraud in 2024
Application Security Testing Concept with Digital Magnifying Glass Scanning Applications to Detect Vulnerabilities - AST - Process of Making Apps Resistant to Security Threats - 3D Illustration
Google bug bounty payments hit nearly $12 million in 2024
Scam alert
A new SMS energy scam is using Elon Musk’s face to steal your money
Representational image of a cybercriminal
Allstate sued for exposing personal customer information in plaintext
Latest in News
Vision Pro Metallica
Apple Vision Pro goes off to never never land with Metallica concert footage
Mufasa is joined by another lion, a monkey and a bird in this promotional image
Mufasa: The Lion King prowls onto Disney+ as it finally gets a streaming release date
An American flag flying outside the US Capitol building against a blue sky
Sean Plankey selected as CISA director by President Trump
An Nvidia GeForce RTX 4060 on a table with its retail packaging
Nvidia RTX 5060 GPU spotted in Acer gaming PC, suggesting rumors of imminent launch are correct – and that it’ll run with only 8GB of video RAM
Indiana Jones talking to a friend in a university setting with a jaunty smile on his face
New leak claims Indiana Jones and the Great Circle PS5 release will come in April
A close up of the limited edition vinyl turntable wrist watch from AndoAndoAndo
This limited-edition timepiece turns the iconic Technics SL-1200 turntable into a watch, and I want one