ChatGPT: Over 100,000 stolen accounts listed on the dark web, report says

Thousands of ChatGPT users in Europe have had their account details taken, amongst others
ChatGPT continues to raise privacy fears after a new cybersecurity report revealed the extent of stolen user accounts
PA Wire
Saqib Shah21 June 2023

More than 101,000 ChatGPT accounts have been stolen using malicious software over the past year.

Cybersecurity researchers discovered the information within the archives of malware traded on illicit dark web marketplaces, according to a new report.

ChatGPT is an AI chatbot created by tech research firm OpenAI that can have conversations on a range of subjects. The service hit 1.8 billion visits in May, according to data from Similarweb.

Almost 17,000 ChatGPT users in Europe had their account details pilfered from so-called “stealer-infected” devices, cybersecurity firm Group-IB revealed in its report.

Asia-Pacific was the most severely impacted region, with close to 41,000 stolen accounts. India was the worst-hit country, with more than 12,600 nicked accounts.

Singapore-based Group-IB scours dark web data, cybercriminal forums and underground marketplaces for stolen information.

The cybersecurity firm’s analysis showed that the majority of ChatGPT accounts were accessed using info-stealers.

These tools allow criminals to hoover up the data from web browsers on infected computers. They can then collect credentials including bank card details, crypto wallet information, cookies, and browsing history. This information is packaged in logs and sent back to the attackers’ servers for repossession.

The number of available malware logs containing compromised ChatGPT accounts reached a peak of 26,802 in May.

ChatGPT’s surging popularity has brought with it privacy concerns. Italy banned the chatbot in March over its alleged “unlawful collection of personal data,” and lack of age-verification tools. Japan also recently warned the bot’s founder OpenAI not to collect info without explicit permission.

The clampdowns came after the viral chatbot suffered a data breach on March 20, which saw the conversation histories and payment information leaked for users of its premium subscription service. At the time, OpenAI CEO Sam Altman said he regretted the leak and that the company had fixed the problem.

On the heels of the incident, OpenAI began allowing users to turn off their chat history. This meant conversations would be wiped after 30 days, though OpenAI would monitor the info for abuse. If a user opted out of sharing their history, the data would no longer be used to train the chatbot, the company noted.

"Many enterprises are integrating ChatGPT into their operational flow," said Group-IB’s Dmitry Shestakov.

"Employees enter classified correspondences or use the bot to optimize proprietary code. Given that ChatGPT’s standard configuration retains all conversations, this could inadvertently offer a trove of sensitive intelligence to threat actors if they obtain account credentials."

Perceived security and privacy risks have resulted in Apple and Samsung banning staff from using ChatGPT.

“People may not realise that their ChatGPT accounts may in fact hold a great amount of sensitive information that is sought after by cybercriminals,” said Jake Moore, global cybersecurity adviser at ESET.

“It stores all input requests by default and can be viewed by those with access to the account. It might be a wise idea to therefore disable the chat saving feature unless absolutely necessary.”

He continued: “The more data that chatbots are fed, the more they will be attractive to threat actors so it is also advised to think carefully about what information you input into cloud-based chatbots and other services.”

Create a FREE account to continue reading

eros

Registration is a free and easy way to support our journalism.

Join our community where you can: comment on stories; sign up to newsletters; enter competitions and access content on our app.

Your email address

Must be at least 6 characters, include an upper and lower case character and a number

You must be at least 18 years old to create an account

* Required fields

Already have an account? SIGN IN

By clicking Create Account you confirm that your data has been entered correctly and you have read and agree to our Terms of use , Cookie policy and Privacy policy .

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged in