Hacker Claims 20 Million OpenAI Logins Taken

Every week, ISMG rounds up cybersecurity incidents and breaches around the world. This week: A hacker claims to have 20 million OpenAI logins, Sweden clears ship in Baltic cable damage, researchers find ways to bypass GitHub Copilot’s protections, Netgear patches router flaws, undetectable Mac backdoor raises alarms, cyberattacks target aviation organizations, Spanish police nab hacker targeting NATO, U.S. Army, and Deloitte pays $5M for the RIBridges breach .

See Also: 57 Tips to Secure Your Organization

An anonymous Russian-speaking hacker is claiming to have stolen login credentials of 20 million OpenAI users and is offering the data for sale on the dark web.

According to news reports citing a dark web forum post, the hacker posted a sample user email addresses and passwords claiming, “I have more than 20 million access codes to OpenAI accounts. If you want, you can contact me – this is a treasure, and Jesus thinks so too.”

OpenAI, which operates the popular ChatGPT generative artificial intelligence platform, has not issued a statement about the breach claim. The company did not immediately respond to a request for comment by Information Security Media Group. In December 2024, the company said ChatGPT has over 300 million weekly active users and generated more than 1 billion responses a day.

Swedish authorities cleared the cargo ship Vezhen of sabotage suspicions and released it from custody, ruling that the damage it caused to a Sweden-Latvia undersea cable was accidental. The Swedish Prosecution Authority announced Monday that weather conditions, equipment failures and human error – not intentional sabotage – led to the Jan. 26 cable break.

The Vezhen, owned by a Bulgarian shipping company, was seized followed by crew interrogations and forensic analysis, senior prosecutor Mats Ljungqvist confirmed, “We can say with certainty that this is not a case of sabotage.” Sweden’s Security Service continues to investigate whether other crimes are linked to the incident.

The ruling may influence Norway’s ongoing investigation into the Silver Dania, a Russian-crewed cargo vessel detained last week at Latvia’s request over similar suspicions. Though initially suspected of involvement in damaging an undersea cable, Norwegian police have yet to find evidence linking the ship or its crew to the act.

Finland in December 2024 seized the Eagle S after it allegedly dragged an anchor for 100 kilometers, severing multiple cables. Finnish authorities suspect deliberate damage, though intelligence sources suggest some incidents may have been accidental.

Security researchers at Apex have discovered new techniques to bypass GitHub Copilot’s safeguards, enabling malicious code generation, unauthorized access to AI models and circumvention of subscription fees. While Apex classifies these as vulnerabilities, GitHub describes them as “abuse issues.”

One method exploits Copilot’s chat-like interaction embedded in code. By inserting prompts requesting harmful outputs, developers can manipulate the AI into compliance. If Copilot initially refuses to generate malicious code, users can alter its response by replacing the rejection with misleading affirmations, such as “Sure.” This technique can produce malware, engineer harmful outputs, or embed dangerous behavior in AI-powered applications.

Another method intercepts Copilot’s communication with large language models such as OpenAI’s GPT, Google’s Gemini and Anthropic’s Claude. By redirecting Copilot’s traffic through a controlled proxy, the researchers captured authentication tokens, bypassed usage restrictions and accessed AI models without a subscription. They also extracted system prompts that dictate Copilot’s behavior. This exploit raises privacy concerns, as intercepted data may reveal sensitive developer queries, internal code logic and corporate strategies.

Netgear is urging customers to update their firmware after patching two critical vulnerabilities affecting multiple routers. The flaws, an authentication bypass, PSV-2024-0117, rated 9.6 and an unauthenticated remote code execution bug, PSV-2023-0039, rated 9.8, affect several models, including EOL devices WAX206 and WAX220. The RCE flaw also affects Nighthawk gaming routers XR100, XR1000v2 and XR500, which remain supported.

While Netgear has not disclosed whether the flaws have been exploited, the severity of the vulnerabilities and continued updates for EOL products suggest significant risk.

Amid growing concerns over fully undetectable cyberthreats, security researcher at Denwp Research uncovered a Mac backdoor, dubbed Tiny FUD, designed to evade antivirus and security tools. The malware uses process name manipulation, DYLD injection and command-and-control execution to infiltrate macOS systems undetected.

The Dynamic Link Editor loads and links dynamic libraries at runtime, enabling attackers to inject malicious code using DYLD_INSERT_LIBRARIES. C2 servers enable remote control over infected devices. The malware, built with Apple’s Xcode development tools, is also suspected of being signed to bypass macOS Gatekeeper and System Integrity Protection.

A joint operation by the Spanish National Police and Civil Guard led to the arrest of a hacker in Alicante accused of over 40 cyberattacks on strategic organizations. The suspect is charged with crimes that include discovery and disclosure of secrets, illegal access to computer systems, computer damage, and money laundering.

The hacker reportedly infiltrated computer systems of public and private organizations, such as the Civil Guard, Ministry of Defense, National Mint and Stamp Factory, Ministry of Education, Generalitat Valenciana, and several Spanish universities. International targets included databases of NATO, the U.S. Army, the United Nations and the International Civil Aviation Organization. The suspect also claimed responsibility for attacks on dark web forums, using multiple pseudonyms to avoid detection.

Investigations began in February 2024 after a Madrid business association reported a data leak and website defacement. The hacker used anonymous messaging and browsing applications to hide his digital footprint. Authorities seized cryptocurrencies and computer equipment, which are undergoing analysis. The National Cryptologic Centre of the National Intelligence Centre collaborated in the operation, along with international cooperation from Europol and Homeland Security Investigations of the U.S.

The International Civil Aviation Organization, a UN agency, is investigating a data breach in which a threat actor known as Natohub accessed approximately 42,000 recruitment application records from April 2016 to July 2024. ICAO confirmed that 11,929 individuals were affected, and is now reaching out to them. The compromised data includes names, email addresses, dates of birth and employment history. The breach does not affect systems related to aviation safety or security operations.

Shortly after the ICAO incident, the Arab Civil Aviation Organization was also targeted. Threat actors exploited a vulnerable web application using SQL injection, leading to the exfiltration of staff and member records, including credentials. The victims included Safety Aviation Specialists and Incident Investigators. The leaked ACAO data, which includes logins, password hashes, emails, titles and communications, was leaked on a dark web community on Feb. 4, 2024. Representatives from various aviation organizations, including those from Qatar, Saudi Arabia, Iran and Jordan, were identified in the stolen data.

Resecurity discovered the ACAO breach and notified the agency, noted the timing of the two incidents is concerning, given the increase in significant aviation incidents and complicated geopolitical narratives.

Deloitte has agreed to pony up $5 million to the state of Rhode Island to help pay for expenses related to the data breach involving RIBridges, the state’s benefits system that was hacked in December allegedly by ransomware gang Brain Cipher (see: Thousands Affected by Data Theft Hack in Smallest State).

Deloitte manages RIBridges, the state’s IT system for health and human services benefits, including Medicaid and Supplemental Nutrition Assistance Program.

In addition to the multimillion payment, Deloitte is also separately covering the cost of the data breach call center, credit monitoring and identity protection for affected customers, Rhode Island Gov. Dan McKee said in a statement Tuesday.

“Deloitte has recognized that the state has immediate and unexpected expenses related to the breach, and we appreciate their willingness to lend financial support,” McKee said.

Expenses covered by the $5 million payment include the costs associated with approximately 2,000 HealthSource customers who were enrolled directly in coverage for the months of January and February. During the IT outage, HealthSource RI worked with insurance providers to help individuals who needed active healthcare coverage starting Jan. 1 enroll directly with Neighborhood Health Plan of Rhode Island and Blue Cross Blue Shield of Rhode Island, the statement said.

The state said RIBridges’ IT system is undergoing a phased relaunch. Services restored so far include the HealthyRhode portal.

Other Stories From Last Week