Cybersecurity researchers at Group-IB reported the identification of over 101,000 malware-infected computers with ChatGPT login credentials on Tuesday, June 20th. The credentials were found in logs generated by the Racoon Infostealer, a malware-as-a-service (MaaS) product which is estimated to have infected millions of computers around the globe since 2021. Large swaths of these credentials have been found for sale on various darknet markets, with the majority of sold accounts originating from Asia.
The data is obtained by the MaaS as it scours web browsers for saved login information which it is also capable of decrypting. The data is then returned to the lessee of the service where it is often put up for sale on the dark web. ChatGPT data can be particularly valuable to its purchasers as it sometimes contains sensitive or personal information in the form of saved sessions. This may provide hackers or other cybercriminals with special insight into their victims, potentially allowing them to be extorted or the security of their financial data somehow compromised.
Both Google and Samsung have already banned software engineers from putting code into ChatGPT as a security precaution to protect against theft of company information, which could possibly be used to uncover vulnerabilities in proprietary codebases.
According to Group-IB, the rate of detection of ChatGPT credentials in info-stealing malware has climbed proportionally to the popularity of the ChatGPT software, with the first detections occurring in June 2022, and the most detections occurring last month, May 2023. In addition to Raccoon Infostealer, other MaaS products found to have ChatGPT credentials in their logs include Vidar and Redline.
“Many enterprises are integrating ChatGPT into their operational flow. Employees enter classified correspondences or use the bot to optimize proprietary code. Given that ChatGPT’s standard configuration retains all conversations, this could inadvertently offer a trove of sensitive intelligence to threat actors if they obtain account credentials.” – Dmitry Shestakov, Group-IB Head of Threat Intelligence
In Oct 2022, a US federal indictment was unsealed which named Ukrainian national Mark Sokolovsky, 26, as the principle architect behind Raccoon Infostealer, who was apprehended in the Netherlands earlier last year. Sokolovsky is reported to have leased access to the malware for $200 per month, payable by cryptocurrency. He was charged with three conspiracy charges for which he faces a combined maximum sentence of 20 years.