What Happened?
More than 101,000 ChatGPT user accounts have been compromised over the past year due to information-stealing malware, as reported by Group-IB, a cyberintelligence firm. The data breach was identified through underground websites, where a considerable number of info-stealer logs containing ChatGPT account details were discovered. A significant rise in these activities was observed in May 2023 when threat actors posted 26,800 new ChatGPT credential pairs. Stealer logs originated from three primary malware types: Raccoon, Vidar, and Redline, with Raccoon accounting for nearly 80% of all stolen logs.
Who Was Affected?
The Asia-Pacific region was the most affected, with nearly 41,000 compromised accounts between June 2022 and May 2023. Europe and North America followed, with about 17,000 and 4,700 compromised accounts respectively. Users and businesses that employ ChatGPT for various purposes, such as proprietary conversations, internal business strategies, and software code optimizations, were primarily affected. This is due to the standard configuration of ChatGPT that retains all conversations, potentially providing sensitive intelligence to threat actors if they gain access to the account credentials.
Hackers’ Objective
The hackers primarily targeted ChatGPT account credentials, given the rise in importance of AI-powered tools. They are interested in the potential wealth of information stored in these accounts, such as proprietary information, internal business strategies, personal communications, software codes, and more. The hackers use malware to steal credentials from the browser’s SQLite database and reverse the encryption of stored secrets. The stolen data are then packaged into logs and sent back to the attackers’ servers for retrieval. The goal is to exploit the information for illicit activities, which could range from financial fraud to corporate espionage.
Response
In response to these cyberattacks, tech giants like Samsung have prohibited the use of ChatGPT on work computers and threatened employment termination for non-compliance. Cybersecurity firm Group-IB, which identified the breaches, recommends regular password updates and implementing two-factor authentication to mitigate risks. Users are advised to disable the chat saving feature or manually delete conversations after use. In cases where sensitive information is involved, reliance should be on secured, locally-built, and self-hosted tools rather than cloud-based services. However, caution is still advised due to the malware’s potential to capture system screenshots or perform keylogging.
- [CVSS 7+] Unprecedented HTTP/2 DDoS Attack
- [CVSS 9+] LockBit Exploiting Citrix Bleed: Immediate Action Needed
- Cisco Issues Security Patches for ArcaneDoor and Firewall Vulnerabilities
- [CVSS 9+] Critical Juniper Vulnerability: Patch Now!
- [CVSS 8+] Exploits in Qualcomm and Arm Chips
- ServiceNow Misconfiguration Exposes Sensitive Data