Recent cybersecurity developments have been buzzing with a rather alarming claim by a threat actor who alleged that they possessed tens of millions of OpenAI account logins from a supposed data breach. Yet, after a thorough investigation, it appears that these claims have been debunked. According to the renowned threat intelligence firm, Kela, the credentials in question were not obtained from a direct breach of OpenAI’s systems, but rather sourced from public and private infostealer logs.
Upon analyzing a sample provided by the actor, Kela discovered that all 30 compromised credentials matched those found in their extensive data lake of compromised accounts collected through infostealer malware. This data lake contains over a billion records, including around four million bots gathered in 2024 alone. This discovery strongly indicates that the actor’s data likely originates from these infostealer-compromised accounts, casting significant doubt on any claim of a specific or direct OpenAI system breach.
The Role of Infostealer Malware
The actor, known as ‘emirking,’ is not widely recognized and has only one other notable post on BreachForums prior to this incident, where they claimed access to 50,000 infostealer logs. Kela’s in-depth investigation connected the allegedly breached OpenAI credentials to 14 different sources. These sources included both private data leaks from subscription bots and public leaks of stolen credentials. Interestingly, one source alone was responsible for over 118 million compromised credentials, highlighting the scale and scope of data compromised by infostealer malware.
Various malware families were implicated in this data compromise, including Redline, RisePro, StealC, Lumma, and Vidar. The infection dates for these malware attacks spanned from October 2023 to July 2024, with the majority occurring between January and April 2024. These findings reinforce the idea that the credentials were harvested over time from numerous accounts compromised by infostealer malware, rather than being obtained through a direct breach of OpenAI.
Broader Cybersecurity Implications
Further analysis by Kela revealed that 23 out of 28 compromised emails in their sample were linked to other service registrations, indicating these emails were used on multiple platforms. This trend validates the compromised data, aligning with broader cybersecurity research trends. For example, a Check Point Research report highlighted a 58% rise in infostealer attacks targeting organizations in the EMEA region over the past year.
These findings suggest that the threat actor’s claims likely rely on widely available stolen credential logs. Kela’s in-depth analysis highlights the significant role infostealers play in cybersecurity threats. This case emphasizes the necessity for vigilance and robust security measures to guard against such widespread and insidious dangers.
In conclusion, the recent claim of a breach on OpenAI’s systems was unfounded, with evidence pointing to the use of previously compromised data from various leaks and infostealer sources. This situation highlights the persistent and escalating threat posed by infostealers, stressing the need for organizations to improve their cybersecurity protocols and response strategies to mitigate potential risks effectively in an increasingly complex digital landscape.