Why trust Greenbot
A hacker’s claim of stealing 20 million OpenAI login credentials comes from widespread malware infections rather than a security breach, cybersecurity firm KELA reported on February 10, 2025.
The threat actor, known as “emirking,” advertised the credentials for sale on BreachForums on February 6. OpenAI quickly launched an investigation into the matter.
“We take these claims seriously,” an OpenAI spokesperson said. “We have not seen any evidence that this is connected to a compromise of OpenAI systems to date.”
KELA’s investigation revealed the credentials originated from victims’ computers infected with information-stealing malware. The security firm matched the sample data with its database of more than one billion compromised records.
“These credentials were cross-referenced with KELA’s data lake of compromised accounts obtained from infostealer malware, which contains more than a billion records, including over 4 million bots collected in 2024,” KELA reported in their analysis.
The stolen information came from five types of malware. Eight cases involved Redline malware, while RisePro and Lumma each had five cases. StealC and Vidar were found in four cases each.
The login details were collected from 14 sources, including private Telegram channels and public forums where hackers trade stolen data. Most of the data was taken between January and April 2024.
“The credentials appear to be a part of a larger dataset scraped from a mix of private and public sources that sell and share infostealer logs,” the security firm noted.
The post advertising the credentials has since been deleted from BreachForums, though emirking remains a member of the platform. The cybercriminal joined the forum on January 9, 2025, and had made only one other post before the OpenAI claim.
The incident points to a growing cybersecurity threat from information-stealing malware. KELA reported that in 2024 alone, such malware compromised more than 3 million OpenAI user accounts and 174,000 Gemini user accounts.
Security experts recommend enabling multi-factor authentication and using unique passwords for each online service to protect against such malware attacks.
