Oops, They Did It Again: Hackers Target OpenAI

After DeepSeek's rise in media regarding privacy and data handling concerns, public awareness has grown regarding how data is truly managed in GenAI applications.

While popular GenAI platforms like Gemini, Grok, and OpenAI emphasize ethical data practices, users should remain cautious about how they use these applications. The risk of data exposure, whether through account compromise or a potential breach, remains a critical consideration.

2025 Data Breach

Researchers at Malwarebytes recently discovered a cybercriminal claiming to be selling 20 million OpenAI user login credentials in recent weeks. The cybercriminal, using the handle "emirking," posted on underground forums detailing how they allegedly obtained the credentials.

"When I realize that OpenAI might have to verify accounts in bulk, I understood that my password wouldn't stay hidden. I have more than 20 million access codes to OpenAI accounts. If you want, you contact me. This is a treasure."

Although the account has been active since January 2025, there is no evidence linking the user behind it to other postings on underground forums.

With these early claims, Malwarebytes researchers theorize that the cybercriminal may have exploited an undisclosed vulnerability in OpenAI’s authentication subdomain or gained access to a privileged account to retrieve the data.

Researchers at CyberSpeak Labs have found no publicly claimed breaches tied to this account, leaving the true identity and affiliations of this hidden figure unknown.

However, threat intelligence firm KELA conducted a deeper investigation from details outlined in the Malwarebytes report. KELA noted that while the cybercriminal's original post was in Russian, the sentence structure suggests it was generated using a translator rather than written by a native Russian speaker.

Through their research, KELA discovered that "emirking" had made previous posts earlier in the year, primarily involving small credential collections with little engagement. Interestingly, KELA also discovered that "emirking" has since deleted the post claiming to have stolen OpenAI credentials.

Further analysis by KELA revealed that a sample package obtained from the cybercriminal contained credentials cross-referenced with a leaked database originating from infostealers. The majority of these credentials were historically stolen by such malware. KELA also noted that "emirking's" past activity has been linked to compromised accounts obtained through infostealers.

Based on their findings, KELA concluded:

"Thus, based on the sample analysis, KELA asserts that the majority of compromised credentials of OpenAI services offered for sale on BreachForums by emerking are not related to a breach of OpenAI systems."

Claims of an OpenAI breach are not unprecedented. In fact, CyberSpeak Labs previously uncovered a strikingly similar incident involving OpenAI since 2023

OpenAI's Credential Breach History

Below are news events that have been correlated to "breaches" targeted towards OpenAI:

Security Awareness, Education, and Takeaways

It is crucial to ensure that any claims of data breaches are as accurate as possible, not only to protect the reputation of the targeted company but also to enable security practitioners and leaders to effectively communicate security education and awareness within their organizations and on social media.

Based on recent security events involving OpenAI, here are key takeaways you can apply to your corporate or personal computing environment:

1. Enable MFA on any device you use. Even though credentials could be stolen, MFA allows a secondary method of making it a little more difficult for a threat actor to access your account.

2. Avoid saving passwords in your browser. Use a password manager instead. While storing passwords locally or in your browser may be convenient, enabling features like auto-fill, it also makes them prime targets for threat actors, especially when infostealers compromise a system.

   Most password managers offer secure alternatives, such as encrypted storage, auto-fill, and password generation, providing both convenience and enhanced security.

3. Avoid clicking on "Ad", "Sponsor", or related webpages. This includes but not limited to: search engine results, online news pages, and social media content. These pages are notorious to redirect users to malicious downloads or to pages that would appear to be a browser update.

4. Do not download browser updates from sources outside your computer’s settings or the official company website. Fake browser updates are a common tactic used by threat actors to distribute malware, including infostealers, putting your system and data at risk.

5. Ensure passwords are regularly rotated. The frequency depends on what makes sense for your use case, but even rotating passwords once a year for frequently used applications is better than not rotating them at all. This helps ensure that if credentials are compromised, they are as up-to-date as possible.

If you believe your system has been compromised or exposed to a threat, work with your local cybersecurity guidelines to ensure the issue is properly reported. Reporting threats or breaches not only helps raise global awareness but also contributes to protecting others from similar risks.