OpenAI Confirms Limited Third-Party Breach, No User Data Impacted
OpenAI disclosed a third-party security incident involving unauthorized access to its corporate code repositories, though the company emphasized that the breach was contained and did not compromise user data or production systems. According to OpenAI, only a small amount of credential material was exfiltrated, with no evidence that intellectual property, software integrity, or customer information was affected.
The attack prompted immediate containment measures, including isolating impacted systems and temporarily restricting code deployment workflows. As a precaution, OpenAI is rotating its code-signing certificates and will require macOS users to update their applications.
The breach also involved a supply chain attack on the open-source library TanStack npm, though OpenAI confirmed this did not result in access to user data. However, two employee devices within OpenAI’s corporate environment were affected by the TanStack incident.
OpenAI reiterated that no evidence suggests the attack exposed user data or disrupted its services, maintaining that the incident was limited in scope. The company continues to investigate the full extent of the breach.
Source: https://www.digit.fyi/no-user-data-impacted-in-third-party-breach-openai-says/
TanStack cybersecurity rating report: https://www.rankiteo.com/company/tanstack
OpenAI cybersecurity rating report: https://www.rankiteo.com/company/openai
"id": "TANOPE1778755599",
"linkid": "tanstack, openai",
"type": "Breach",
"date": "5/2024",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': 'None (user data not impacted)',
'industry': 'Artificial Intelligence, Software '
'Development',
'name': 'OpenAI',
'type': 'Technology Company'}],
'attack_vector': 'Unauthorized access to corporate code repositories, '
'Compromised open-source library (TanStack npm)',
'customer_advisories': 'Assurance that user data and services were not '
'impacted',
'data_breach': {'data_exfiltration': 'Yes (small amount of credential '
'material)',
'personally_identifiable_information': 'No',
'sensitivity_of_data': 'Low (no user data or intellectual '
'property compromised)',
'type_of_data_compromised': 'Credential material'},
'description': 'OpenAI disclosed a third-party security incident involving '
'unauthorized access to its corporate code repositories. The '
'breach was contained and did not compromise user data or '
'production systems. A small amount of credential material was '
'exfiltrated, but no evidence suggests intellectual property, '
'software integrity, or customer information was affected.',
'impact': {'data_compromised': 'Small amount of credential material',
'operational_impact': 'Temporary restriction of code deployment '
'workflows',
'systems_affected': 'Corporate code repositories, Two employee '
'devices in corporate environment'},
'investigation_status': 'Ongoing',
'references': [{'source': 'OpenAI Public Disclosure'}],
'response': {'communication_strategy': 'Public disclosure of incident details',
'containment_measures': 'Isolating impacted systems, Temporarily '
'restricting code deployment workflows',
'incident_response_plan_activated': 'Yes',
'remediation_measures': 'Rotating code-signing certificates, '
'Requiring macOS users to update '
'applications'},
'title': 'OpenAI Third-Party Breach with Limited Impact',
'type': 'Third-party breach, Supply chain attack'}