- These Sony headphones deliver premium sound and comfort - without the premium price
- The LG soundbar I prefer for my home theater slaps with immersive audio - and it's not the newest model
- Samsung's new flagship laptop rivals the MacBook Pro, and it's not just because of the display
- Email marketing is back and big social is panicking - everything you need to know
- Revisiting Docker Hub Policies: Prioritizing Developer Experience | Docker
OpenAI Was Not Breached, Say Researchers
A threat actor’s recent claim to have tens of millions of OpenAI account logins for sale after breaching the company is likely to be false, according to a new report.
Threat intelligence firm Kela said that the actor is most likely instead to have obtained the credentials from infostealer logs available publicly and privately.
“To assess the OpenAI credentials claim, Kela analyzed a sample shared by the actor, which included 30 compromised credentials related to OpenAI services – all containing authentication details to auth0.openai.com,” Kela wrote in a blog post yesterday.
“These credentials were cross-referenced with Kela’s data lake of compromised accounts obtained from infostealer malware, which contains more than a billion records, including over four million bots collected in 2024. All credentials from the sample shared by the actor ‘emirking’ were found to originate in these compromised accounts, likely hinting at the source of the full 20 million OpenAI accounts that the actor intends to sell.”
Read more on infostealers: Threefold Increase in Malware Targeting Credential Stores
The theory is backed by further evidence; namely, that emirking’s only other BreachForums post, aside from the February 6 advert for OpenAI credentials, comes from January 9 2025.
In it, they apparently claimed to have access to 50,0000 infostealer logs, and listed a sample of 15 such logs.
In fact, the ‘breached’ OpenAI credentials assessed by Kela can be traced back to 14 discrete sources, including private data leaks originating from paid subscription bots and public data leaks of widely shared stolen credentials. The most prevalent source was linked to over 118 million compromised credentials, Kela said.
“Multiple malware families were linked to these infections. The analysis revealed that Redline (eight occurrences), RisePro (five occurrences), StealC (four occurrences), Lumma (five occurrences), and Vidar (four occurrences) were the primary infostealer malware families observed, with infections date spanning from October 12, 2023, to July 28, 2024, and the majority of infections occurring between January and April 2024,” it added.
“Further investigation into the compromised email addresses showed that 23 out of 28 were used for registration on other services, confirming that victims’ email addresses were repurposed across multiple platforms, which indicates their validity.”
Kela’s findings echo recent research which highlights the growing impact of infostealers.
A report from Check Point Research earlier this month revealed a 58% increase in infostealer attacks targeting organizations in the EMEA region over the past year.
Image credit: JarTee / Shutterstock.com
