ChatGPT Credentials

More than 225,000 logs containing compromised OpenAI ChatGPT credentials were made available for sale on underground markets between January and October 2023, new findings from Group-IB show.

These credentials were found within information stealer logs associated with LummaC2, Raccoon, and RedLine stealer malware.

"The number of infected devices decreased slightly in mid- and late summer but grew significantly between August and September," the Singapore-headquartered cybersecurity company said in its Hi-Tech Crime Trends 2023/2024 report published last week.


Between June and October 2023, more than 130,000 unique hosts with access to OpenAI ChatGPT were infiltrated, a 36% increase over what was observed during the first five months of 2023. The breakdown by the top three stealer families is below -

  • LummaC2 - 70,484 hosts
  • Raccoon - 22,468 hosts
  • RedLine - 15,970 hosts

"The sharp increase in the number of ChatGPT credentials for sale is due to the overall rise in the number of hosts infected with information stealers, data from which is then put up for sale on markets or in UCLs," Group-IB said.

The development comes as Microsoft and OpenAI revealed that nation-state actors from Russia, North Korea, Iran, and China are experimenting with artificial intelligence (AI) and large language models (LLMs) to complement their ongoing cyber attack operations.

ChatGPT Credentials

Stating that LLMs can be used by adversaries to brainstorm new tradecraft, craft convincing scam and phishing attacks, and improve operational productivity, Group-IB said the technology could also speed up reconnaissance, facilitate the execution of hacking toolkits, and make scammer robocalls.

"In the past, [threat actors] were mainly interested in corporate computers and in systems with access that enabled movement across the network," it noted. "Now, they also focus on devices with access to public AI systems.


"This gives them access to logs with the communication history between employees and systems, which they can use to search for confidential information (for espionage purposes), details about internal infrastructure, authentication data (for conducting even more damaging attacks), and information about application source code (to analyze it and identify potential vulnerabilities that could be exploited)."

Abuse of valid account credentials by threat actors has emerged as a top access technique, primarily fueled by the easy availability of such information via stealer malware.

"The combination of a rise in infostealers and the abuse of valid account credentials to gain initial access has exacerbated defenders' identity and access management challenges," IBM X-Force said.

"Enterprise credential data can be stolen from compromised devices through credential reuse, browser credential stores, or accessing enterprise accounts directly from personal devices."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.