Twilight Research: The OpenAI Credentials Leak

Posted on March 3, 2025

Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

24,000 employee emails and names
500,000 Jira issues and summaries
5,000 internal documents
236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

469 employee credentials on Telefonica’s domain were compromised.
469 employee credentials on Telefonica’s domain were compromised.
469 employee credentials on Telefonica’s domain were compromised.
469 employee credentials on Telefonica’s domain were compromised.

Twilight Research: The OpenAI Credentials Leak

Credential Theft

Posted on March 3, 2025

Recent headlines have raised alarms about a massive leak of OpenAI account credentials. In early 2025, a hacker claimed on a dark web forum to be selling 20 million OpenAI login credentials belonging to users of ChatGPT and other OpenAI services

This staggering figure sparked fears that OpenAI itself had been breached. OpenAI, however, responded that it had “not seen any evidence” of a compromise in its own systems.

So, where did these millions of supposedly leaked credentials come from?

At Twilight Cyber, we deliver real-time intelligence on compromised machines & stolen credentials, track underground marketplace activity, and provide organizations with the insights they need to act before threats escalate. Our latest research uncovers a rapidly expanding malware campaign, affecting users worldwide and fueling credential theft at scale. Here’s what we found.

Analyzing the Infection Trend

To understand the context, we first looked at malware infection trends over the last three years targeting OpenAI user credentials. In 2022, incidents of credential-stealing malware affecting OpenAI accounts were almost negligible (only a few hundred per month on average).

But in 2023, as ChatGPT’s popularity exploded, the number of infections skyrocketed. Our analysis shows a steady rise throughout 2023, from just a couple thousand in January to as high as 17,000 in July 2023. By the close of 2023, total recorded infections had surged to nearly 100,000 for that year, a massive jump from 2022.

2024 saw a continuation of the trend, with a total of 300,000 malware infections stealing OpenAI logins – roughly three times the 2023 volume.

What is behind the interest in OpenAI credentials?

The timeline suggests that the credential theft problem grew in parallel with OpenAI’s user base. As millions of users flocked to ChatGPT for work and personal use, cybercriminals ramped up efforts to infiltrate those accounts.

By mid-2023, ChatGPT had become a household name and tool, including in corporate settings. Cybercriminals took note: stolen ChatGPT credentials became hot commodities on dark web markets.

As more employees and individuals rely on ChatGPT, the demand for valid OpenAI account logins has gained significant popularity among hackers. In other words, the more people use these AI tools, the more valuable those accounts become to attackers.

Twilight Cyber found that criminals have misused compromised OpenAI accounts of over 2,250 different organizations, potentially peeking into private conversations, launching targeted phishing (by gleaning personal info from chat history), or abusing paid API access at the victim’s expense.

The Real Source of Stolen Credentials

So, did OpenAI’s own servers get hacked to produce 20 million stolen logins? All evidence, including statements from OpenAI indicates no.

independent analyses of the 20M credential dataset concluded it was sourced from malware on users’ devices, not from a hack of OpenAI. Researchers have cross-referenced a sample of the leaked OpenAI logins against a massive collection of infostealer data and found that every single sample credential matched an entry from those malware logs

Our research identified several prolific info-stealer malware families responsible for the bulk of the stolen OpenAI credentials. Five malware strains in particular stand out:

LummaC2
RedLine
StealC
RisePro
Meta.

These alone accounted for over 400,000 compromised OpenAI logins in our dataset (with LummaC2 topping the list at ~155k, and RedLine close behind at ~100k). These names might sound unfamiliar to everyday users, but in the cybersecurity underground they are well-known threats.

RedLine and StealC are popular info-stealers sold as Malware-as-a-Service, enabling any wannabe hacker to deploy them for a fee. RisePro is a newer stealer that spreads via fake software installers, and “Meta” (MetaStealer) is another credential pilfering tool.

How do these malware strains operate?

In general, info-stealer malware infects a victim’s computer (often via malicious email attachments, pirated software downloads, or trojanized game mods) and then scavenges the system for saved credentials.

Once running, an infostealer will scan browser password stores, cookies, authentication tokens, and even clipboard contents. Any login data it finds, whether for OpenAI, email, banking, or other services, gets quietly collected and sent back to the attacker’s server.

“Infostealers work non-selectively… infecting as many computers as possible… to collect as much data as possible.”

The stolen data (often called “logs”) are then packaged and sold in bulk on dark web marketplaces to other cybercriminals. Typically, multiple unrelated breaches get combined and resold, which makes it look like a single massive leak even though it’s really a compilation of many small infections.

Who Is Being Targeted?

Users from all over the world are falling victim to these credential stealers. Our analysis of the geographic distribution of stolen OpenAI logins shows a global footprint. The top five countries by number of compromised accounts in our data were:

India – approximately 29,380 stolen credentials
Pakistan – approximately 27,777
Brazil – approximately 26,082
Vietnam – approximately 21,020
Egypt – approximately 17,970

Countries like Indonesia (~13k), the United States (~12.7k), and the Philippines (~12.6k) also saw tens of thousands of OpenAI credentials harvested by info-stealers.

These nations have huge user bases of internet and tech users, many of whom enthusiastically adopted AI tools like ChatGPT for work, education, and daily tasks. High usage creates a big target pool for cybercriminals.

Additionally, info-stealer malware often spreads through channels like pirated software sites, crack downloads, and phishing links, which might be more frequently encountered in regions with less access to licensed software or lower general cybersecurity awareness.

However, it’s important to note that even wealthier, cyber-savvy countries are affected (the U.S. and parts of Europe contributed substantial numbers as well).

Debunking the 20 Million Claim

Our findings, along with analyses by security experts, strongly suggest that the 20 milion figure is misrepresented. Here’s why:

First, the numbers don’t add up in the way one might think. The hacker’s 20 million figure likely refers to a compilation of stolen data accumulated from numerous malware infections over an extended period. It’s not 20 million users from a single breach, but rather many smaller thefts aggregated.

In our own data, the top malware families accounted for roughly 400,000 stolen OpenAI logins in 2024. Even if we assume other malware and previous years contribute more, reaching 20,000,000 requires combining multiple years, multiple malware strains, and probably a lot of duplicate or inactive records.

It’s very possible that many of those 20 million credentials are outdated or repeated entries from different log sources. Thus, the scary-sounding number doesn’t represent 20 million unique, active OpenAI account breaches, but rather a lump sum of years’ worth of malware output.

Say No to Infostealer Malware With Twilight Cyber

Infostealer malware campaigns are a serious threat to your organization. At Twilight Cyber, we provide the most advanced threat intelligence and dark web monitoring solutions to detect and neutralize credential theft before it becomes a major security risk.

Our industry-leading cybersecurity platform helps organizations:

Identify stolen credentials in real-time by continuously scanning underground forums, dark web marketplaces, and hacker communities.

Proactively prevent account takeovers by alerting organizations when their employees’ credentials have been compromised.

Contact Twilight Cyber today to learn how we can help secure your organization against credential theft and other cyber threats.

Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

24,000 employee emails and names
500,000 Jira issues and summaries
5,000 internal documents
236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access