A cybercriminal acting under the monicker “emirking” offered 20 million OpenAI user login credentials this week, sharing what appeared to be samples of the stolen data itself.
A translation of the Russian statement by the poster says:
“When I realized that OpenAI might have to verify accounts in bulk, I understood that my password wouldn’t stay hidden. I have more than 20 million access codes to OpenAI accounts. If you want, you can contact me—this is a treasure.”
The statement suggests that the cybercriminal found access codes which could be used to bypass the platform’s authentication systems. It seems unlikely that such a large amount of credentials could be harvested in phishing operations against users, so if the claim is true, emirking may have found a way to compromise the auth0.openai.com subdomain by exploiting a vulnerability or by obtaining administrator credentials.
While emirking looks like a relatively new user of the forums (they joined in January 2025), that doesn’t necessarily mean anything. They could have posted under another handle previously and switched because of security reasons.
Millions of users around the world rely on OpenAI platforms like ChatGPT and other GPT integrations.
With the allegedly stolen credentials, cybercriminals could possibly access sensitive information provided during conversations and queries with OpenAI. This stolen data could prove useful in targeted phishing campaigns and financial fraud. But the stolen credentials could also be used to abuse the OpenAI API and have the victims pay for their usage of OpenAI’s “Plus” or “Pro” features. However, other users of the same dark web forum claimed that the posted credentials did not provide access to the ChatGPT conversations of the leaked accounts.
True or not, this comes at a bad time for OpenAI after Microsoft recently investigated accusations that DeepSeek used OpenAI’s ChatGPT model to train DeepSeek’s AI chatbot.
What can users do?
If you fear that this breach might include your credentials you should:
- Change your password.
- Enable multi-factor authentication (MFA).
- Monitor your account for any unusual activity or unauthorized usage.
- Beware of phishing attempts using the information that might be stolen as part of this breach.
BreachForums, the Dark Web forum where the accounts were offered for sale was offline at the time of writing, so we were unable to verify any claims ourselves. We will do so when the opportunity arises and keep you posted, so stay tuned.