In a startling revelation, Group-IB, a leading Singapore-based cybersecurity firm, has identified over 100,000 devices infected with thieving malware containing saved ChatGPT credentials.
These compromised credentials were found in the logs of information-stealing malware traded on illicit dark web markets over the past year. The number of logs containing Compromised ChatGPT accounts reached a peak of 26,802 in May 2023. The Asia-Pacific region has seen the highest concentration of ChatGPT identifiers offered for sale over the past year.
ChatGPT, an AI-powered chatbot developed by OpenAI, has become increasingly popular among employees in various industries. It is used to optimize work, from software development to business communications. By default, ChatGPT stores the history of user requests and AI responses, which, if accessed without permission, could expose confidential or sensitive information.
This information can be leveraged for targeted attacks against companies and their employees. According to the latest findings from Group-IB, ChatGPT accounts have already gained popularity among underground communities.
Group-IB’s Threat Intelligence platform, which claims to store the largest dark web data library in the industry, monitors cybercriminal forums, marketplaces and gated communities in real time. It identifies compromised credentials, stolen credit cards, new malware samples, access to corporate networks, and other critical information.
This allows companies to identify and mitigate cyber risks before further damage is done. Group-IB’s analysis of underground markets revealed that the majority of logs containing ChatGPT accounts have been hacked by the infamous information stealer Raccoon.
Information stealers are a type of malware that collects saved credentials from browsers, bank card details, crypto wallet information, cookies, browsing history and other information from browsers installed on infected computers. They then send all this data to the malware operator.
Thieves can also collect data from instant messengers and emails, as well as detailed information about the victim’s device. Thieves work non-selectively, infecting as many computers as possible through phishing or other means in order to collect as much data as possible. Logs containing compromised information harvested by information thieves are actively traded on dark web marketplaces.
By analyzing this information, Group-IB’s Threat Intelligence unit identified countries and regions with the highest concentration of devices infected by thieves with registered ChatGPT credentials. The Asia-Pacific region saw the highest number of ChatGPT accounts stolen by info thieves (40.5%) between June 2022 and May 2023.
“Many companies integrate ChatGPT into their operational flow. Employees enter classified matches or use the bot to optimize proprietary code. Since ChatGPT’s standard configuration retains all conversations, it could inadvertently offer a wealth of sensitive information to threat actors if they obtain account credentials.
Dmitry Shestakov, head of threat intelligence at Group-IB.
To mitigate the risks associated with compromised ChatGPT accounts, Group-IB advises users to regularly update their passwords and implement two-factor authentication (2FA). By enabling 2FA, users are required to provide an additional verification code, usually sent to their mobile devices, before accessing their ChatGPT accounts.