100,000 ChatGPT Accounts Stolen and Put Up for Sale

Between June 2022 and May 2023, a significant number of compromised OpenAI ChatGPT account credentials, exceeding 101,100, have surfaced on illicit dark web marketplaces. Notably, India accounted for 12,632 of the stolen credentials, according to a report from Group-IB shared with The Hacker News.

The availability of compromised ChatGPT accounts reached its highest point in May 2023, with a total of 26,802 logs being offered for sale. The Asia-Pacific region witnessed the highest concentration of ChatGPT credentials being traded over the past year.

Among the countries with the most compromised ChatGPT credentials are Pakistan, Brazil, Vietnam, Egypt, the U.S., France, Morocco, Indonesia, and Bangladesh.

Further investigation revealed that the majority of logs containing ChatGPT accounts were compromised by the well-known Raccoon info stealer, totaling 78,348. Vidar accounted for 12,984 compromised credentials, followed by RedLine with 6,773.

Info stealers have gained popularity among cybercriminals due to their ability to hijack sensitive information such as passwords, cookies, credit card details, and cryptocurrency wallet data from web browsers.

The logs containing compromised information are actively traded on dark web marketplaces, with additional information about the logs including lists of domains found in the log and details of the compromised host's IP address.

These compromised ChatGPT accounts, available through a subscription-based pricing model, not only lower the entry barrier for cybercriminal activities but also serve as a gateway for launching subsequent attacks using the stolen credentials.

Potential Threats Associated with Credential Theft

Given that many organizations integrate ChatGPT into their workflows, there is a risk of inadvertently exposing sensitive intelligence to threat actors if account credentials are obtained. For example, employees may engage in classified correspondences or use the bot to optimize proprietary code, and the retention of all conversations in ChatGPT's default configuration could provide a treasure trove of valuable information to malicious actors.

To mitigate such risks, users are advised to follow strong password practices and enable two-factor authentication (2FA) to prevent account takeover attacks.

These developments occur concurrently with an ongoing malware campaign that exploits fake OnlyFans pages and adult content baits to distribute a remote access trojan and an information stealer known as DCRat (DarkCrystal RAT), which is a modified version of AsyncRAT.