OpenAI denies breach of 20m customer credentials from its servers

Artificial Intelligence company OpenAI has denied that it suffered a data security incident after a threat actor offered to sell 20 million OpenAI credentials on BreachForums.

 

Recently, a threat actor using the moniker “emirking” claimed on BreachForums that they infiltrated the internal network of OpenAI and stole confidential data. The hacker claims to be in possession of 20 million OpenAI account credentials and has offered to sell them to interested buyers.

 

“When I realized that OpenAI might have to verify accounts in bulk, I understood that my password wouldn’t stay hidden. I have more than 20 million access codes to OpenAI accounts. If you want, you can contact me—this is a treasure,” reads a translated version of the hacker’s statement in Russian language.

 

Acknowledging the claims of the threat actor, the AI company said it launched an investigation, with assistance from cyber security experts, to verify whether it had suffered a breach.

 

In a statement shared with SecurityWeek, an OpenAI spokesperson said, “We take these claims seriously. We have not seen any evidence that this is connected to a compromise of OpenAI systems to date.”

 

Threat intelligence firm Kela also investigated the sample data shared by “emirking” and said that the leaked OpenAI credentials were likely obtained from an existing database that contained data stolen using infostealer malware.

 

“To assess the OpenAI credentials claim, Kela analyzed a sample shared by the actor, which included 30 compromised credentials related to OpenAI services – all containing authentication details to auth0[.]openai[.]com.

 

“These credentials were cross-referenced with Kela’s data lake of compromised accounts obtained from infostealer malware, which contains more than a billion records, including over four million bots collected in 2024. 

 

“All credentials from the sample shared by the actor ‘emirking’ were found to originate in these compromised accounts, likely hinting at the source of the full 20 million OpenAI accounts that the actor intends to sell,” reads Kela’s blogpost.

 

Kela added that the threat actor later deleted their post on BreachForums, even though the actor continues to be a member of the dark web forum.