Content
summary Summary

At least 100,000 credentials of ChatGPT users were reportedly leaked to the darknet. OpenAI released a statement regarding the incident.

Ad

Most of the affected users are from the US, France, Morocco, Indonesia, Pakistan and Brazil. The oldest data is said to date back to June 2022. ChatGPT was made publicly available in November 2022.

Two days after the first reports of the darknet incident, OpenAI issued a statement to Tom's Hardware. The company insists that neither it nor its users were targeted and that the leaked accounts are under investigation.

Getting ChatGPT accounts has never been easier

According to security analysts at Group-IB, most of the compromised credentials were found in logs associated with various malware. Topping the list is the supposedly easy-to-use Raccoon software, which is responsible for 78,348 compromised accounts.

Ad
Ad

The results of the Group-IB Threat Intelligence Report are "the result of commodity malware on people's devices and not a breach of OpenAI," an OpenAI spokesperson said.

He added that OpenAI follows industry best practices for user authentication and authorization, and encourages users to use strong passwords and to install only vetted and trusted software on their computers.

ChatGPT is a sensitive target

It is not uncommon for sensitive data to fall into the wrong hands in account leaks. In the case of ChatGPT, however, the impact could be particularly dramatic: because ChatGPT stores all chats by default, attackers could inadvertently gain access to a "treasure trove of sensitive information" with the logins. People use ChatGPT to chat about all kinds of topics, including sensitive personal or business information.

Samsung, for example, banned the use of ChatGPT for fear of data breaches after a case came to light in which company employees entered confidential codes. Employees still using ChatGPT at Samsung could be fired. Apple has also banned ChatGPT.

In response to political pressure, OpenAI implemented an opt-out feature in late April that automatically deletes all chats and removes them from training materials. For the more than 100,000 leaked accounts, this comes too late: according to security researchers, the leaked data has long been for sale on the darknet. It can't hurt to change your password.

Ad
Ad
Join our community
Join the DECODER community on Discord, Reddit or Twitter - we can't wait to meet you.
Recommendation
Support our independent, free-access reporting. Any contribution helps and secures our future. Support now:
Bank transfer
Summary
  • Over 100,000 credentials of ChatGPT users were recently leaked on the darknet.
  • OpenAI has now stated that this data was stolen primarily through malware on users' devices, rather than through a direct attack on ChatGPT or the company.
  • Since ChatGPT stores all chats by default, criminals could now have access to a lot of sensitive data that people enter into their chats.
Jonathan works as a freelance tech journalist for THE DECODER, focusing on AI tools and how GenAI can be used in everyday work.
Join our community
Join the DECODER community on Discord, Reddit or Twitter - we can't wait to meet you.