Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Evening Standard
Evening Standard
Technology
Saqib Shah

ChatGPT: Over 100,000 stolen accounts listed on the dark web, report says

More than 101,000 ChatGPT accounts have been stolen using malicious software over the past year.

Cybersecurity researchers discovered the information within the archives of malware traded on illicit dark web marketplaces, according to a new report.

ChatGPT is an AI chatbot created by tech research firm OpenAI that can have conversations on a range of subjects. The service hit 1.8 billion visits in May, according to data from Similarweb.

Almost 17,000 ChatGPT users in Europe had their account details pilfered from so-called “stealer-infected” devices, cybersecurity firm Group-IB revealed in its report.

Asia-Pacific was the most severely impacted region, with close to 41,000 stolen accounts. India was the worst-hit country, with more than 12,600 nicked accounts.

Singapore-based Group-IB scours dark web data, cybercriminal forums and underground marketplaces for stolen information.

The cybersecurity firm’s analysis showed that the majority of ChatGPT accounts were accessed using info-stealers.

These tools allow criminals to hoover up the data from web browsers on infected computers. They can then collect credentials including bank card details, crypto wallet information, cookies, and browsing history. This information is packaged in logs and sent back to the attackers’ servers for repossession.

The number of available malware logs containing compromised ChatGPT accounts reached a peak of 26,802 in May.

ChatGPT’s surging popularity has brought with it privacy concerns. Italy banned the chatbot in March over its alleged “unlawful collection of personal data,” and lack of age-verification tools. Japan also recently warned the bot’s founder OpenAI not to collect info without explicit permission.

The clampdowns came after the viral chatbot suffered a data breach on March 20, which saw the conversation histories and payment information leaked for users of its premium subscription service. At the time, OpenAI CEO Sam Altman said he regretted the leak and that the company had fixed the problem.

On the heels of the incident, OpenAI began allowing users to turn off their chat history. This meant conversations would be wiped after 30 days, though OpenAI would monitor the info for abuse. If a user opted out of sharing their history, the data would no longer be used to train the chatbot, the company noted.

"Many enterprises are integrating ChatGPT into their operational flow," said Group-IB’s Dmitry Shestakov.

"Employees enter classified correspondences or use the bot to optimize proprietary code. Given that ChatGPT’s standard configuration retains all conversations, this could inadvertently offer a trove of sensitive intelligence to threat actors if they obtain account credentials."

Perceived security and privacy risks have resulted in Apple and Samsung banning staff from using ChatGPT.

“People may not realise that their ChatGPT accounts may in fact hold a great amount of sensitive information that is sought after by cybercriminals,” said Jake Moore, global cybersecurity adviser at ESET.

“It stores all input requests by default and can be viewed by those with access to the account. It might be a wise idea to therefore disable the chat saving feature unless absolutely necessary.”

He continued: “The more data that chatbots are fed, the more they will be attractive to threat actors so it is also advised to think carefully about what information you input into cloud-based chatbots and other services.”

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.