A hacker recently offered to sell 20 million OpenAI credentials, but the data likely comes from information-stealing malware, not the AI firm’s systems.

A hacker using the online moniker ‘emirking’ recently claimed on the BreachForums cybercrime forum that they have obtained credentials associated with 20 million OpenAI accounts, suggesting that the data was up for sale.

OpenAI has investigated the claims and a spokesperson told SecurityWeek, “We take these claims seriously. We have not seen any evidence that this is connected to a compromise of OpenAI systems to date.”

Threat intelligence firm Kela has conducted an analysis of the sample data made available by the hacker and determined that the OpenAI credentials were likely obtained by infostealer malware.

“These credentials were cross-referenced with KELA’s data lake of compromised accounts obtained from infostealer malware, which contains more than a billion records, including over 4 million bots collected in 2024,” Kela said. 

“All credentials from the sample shared by the actor ‘emirking’ were found to originate in these compromised accounts, likely hinting at the source of the full 20 million OpenAI accounts that the actor intends to sell. The actor’s first post on BreachForums, related to infostealer logs, strengthens the assessment,” the company added.

Kela’s analysis found that the credentials posted on the hacking forum originated from over a dozen sources. They appear to come from a bigger dataset containing information harvested by information-stealing malware such as Redline, RisePro, StealC, Lumma and Vidar. 

“The credentials appear to be a part of a larger dataset scraped from a mix of private and public sources that sell and share infostealer logs,” the security firm noted.

Kela pointed out that the post advertising the OpenAI credentials has since been deleted. 

BreachForums is often used by hackers who claim to have obtained valuable data from major companies. However, in many cases the hackers’ claims turn out to be either false or exaggerated.

Related: Hacker Who Targeted NATO, US Army Arrested in Spain

Related: Infostealer Infections Lead to Telefonica Ticketing System Breach

Related: Hacker Leaks Cisco Data

Related: 760,000 Employee Records From Several Major Firms Leaked Online