Skip to main content
Apr 14, 2023 - Technology

Thousands compromised in ChatGPT-themed scheme

Sam Sabin
Illustration of a person behind a laptop screen with numerous cursors surrounding them and pointed towards their head.

Illustration: Aïda Amer/Axios

Downloads of a fake ChatGPT browser extension have put thousands of Facebook accounts at risk of compromise, researchers at CybelAngel said in a report this week.

What's happening: Researchers at CybelAngel came across an exposed database of stolen personal information late last week that hosted data collected from a malware-laced, fake ChatGPT browser extension.

  • CybelAngel declined to share which specific fake ChatGPT browser extension was the source, but the report does note it was available for Chrome.
  • Unidentified threat actors laced the Chrome extension with what's known as "infostealer" malware, which collects all of the data stored in someone's browser, including stored passwords and credit card information, David Sygula, head of CybelAngel's research and analysis team, told Axios.
  • While the database included upward of 4 million login credentials across personal and corporate accounts, the threat actors appeared to be abusing only collected Facebook credentials to take over accounts, CybelAngel CEO Erwan Keraudy told Axios.

Why it matters: The incident underscores just how easy it already is for malicious threat actors to weaponize interest in ChatGPT.

Details: In the campaign, the malicious actors have collected Facebook credentials belonging to 40,000 users — as well as their browsers' cookie tracking data — and appear to be using that information to take over accounts.

  • The threat actors are changing passwords and then changing the names and photos on the accounts they hack to those of Lily Collins, the star of Netflix's "Emily in Paris."
  • Some victims posted about the hacks using the hashtag #LilyCollinsHack on TikTok.

Threat level: While the Chrome extension in question has been removed from the Play Store, the database included the login credentials for at least 6,000 corporate accounts and 7,000 virtual private network accounts.

  • The database has since been wiped and held for ransom by another threat actor, Keraudy said.

Sign up for Axios’ cybersecurity newsletter Codebook here

Go deeper