In a startling revelation, Group-IB, a leading cybersecurity firm based in Singapore, has identified over 100,000 devices infected with stealer malware that contain saved ChatGPT credentials.
These compromised credentials have been found within the logs of info-stealing malware traded on illicit dark web marketplaces over the past year. The number of logs containing compromised ChatGPT accounts reached a peak of 26,802 in May 2023. The Asia-Pacific region has seen the highest concentration of ChatGPT credentials being offered for sale over the past year.
ChatGPT, an AI-powered chatbot developed by OpenAI, has become increasingly popular among employees across various industries. It is used to optimize work, from software development to business communications. By default, ChatGPT stores the history of user queries and AI responses, which, if accessed unauthorizedly, could expose confidential or sensitive information.
This information can be exploited for targeted attacks against companies and their employees. According to Group-IB’s latest findings, ChatGPT accounts have already gained significant popularity within underground communities.
Group-IB’s Threat Intelligence platform, which claims to store the industry’s largest library of dark web data, monitors cybercriminal forums, marketplaces, and closed communities in real time. It identifies compromised credentials, stolen credit cards, fresh malware samples, access to corporate networks, and other critical intelligence.
This enables companies to identify and mitigate cyber risks before further damage is done. Group-IB’s analysis of underground marketplaces revealed that the majority of logs containing ChatGPT accounts have been breached by the infamous Raccoon info stealer.
Info stealers are a type of malware that collects credentials saved in browsers, bank card details, crypto wallet information, cookies, browsing history, and other information from browsers installed on infected computers. They then send all this data to the malware operator.
Stealers can also collect data from instant messengers and emails, along with detailed information about the victim’s device. Stealers work non-selectively, infecting as many computers as possible through phishing or other means in order to collect as much data as possible. Logs containing compromised information harvested by info stealers are actively traded on dark web marketplaces.
By analyzing this information, Group-IB’s Threat Intelligence unit identified the countries and regions with the highest concentration of stealer-infected devices with saved ChatGPT credentials. The Asia-Pacific region saw the largest number of ChatGPT accounts stolen by info stealers (40.5%) between June 2022 and May 2023.
“Many enterprises are integrating ChatGPT into their operational flow. Employees enter classified correspondences or use the bot to optimize proprietary code. Given that ChatGPT’s standard configuration retains all conversations, this could inadvertently offer a trove of sensitive intelligence to threat actors if they obtain account credentials.”Dmitry Shestakov, head of threat intelligence at Group-IB.
To mitigate the risks associated with compromised ChatGPT accounts, Group-IB advises users to update their passwords regularly and implement two-factor authentication (2FA). By enabling 2FA, users are required to provide an additional verification code, typically sent to their mobile devices, before accessing their ChatGPT accounts.