Breachwire.riscent

Breach report

OmniGPT: 34 million chat lines leaked — with the credentials and keys users pasted in

PWA & Startup BreachesHigh2025-02
The bottom lineA threat actor claimed to have breached AI chatbot OmniGPT and leaked around 30,000 user emails and phone numbers plus 34 million lines of chat messages that reportedly contained credentials, API keys, and billing details users had pasted into conversations.
Category
PWA & Startup Breaches
Type
Named incident (data breach / data-in-chat exposure)
Date
2025-02
Severity
High
OWASP
LLM06 Sensitive Information Disclosure
CWE / CVE
CWE-312

What happened

In February 2025 a threat actor using the alias "Gloomer" listed data allegedly stolen from OmniGPT, a multi-model AI chatbot aggregator, for sale on the BreachForums hacking forum. The claimed haul included around 30,000 user email addresses and phone numbers and 34 million lines of chat messages. Reporting on the samples noted that the chat logs and uploaded files reportedly contained API keys, credentials, file links, and billing details — because users had pasted them directly into conversations while working on real projects (office documents, market analyses, university and verification assignments). The breach became public on February 9, 2025. OmniGPT did not publicly confirm it.

Root cause

Two failures compound here. First, whatever store held user identities and conversations was reachable by an attacker — an access-control or exposure failure. Second, and more insidious, the content of the chats was itself a secrets trove: users routinely paste passwords, tokens, and keys into AI assistants, so a chat-log leak is a credential leak. An AI product that retains full conversation history in plaintext is holding a concentrated pool of other systems' secrets (CWE-312, LLM06). "It stored the chats" was satisfied; "a breach of chats does not become a breach of everything the user connects to" was never designed for.

How it would have been caught

A red-team exercise that scans stored conversations for secret patterns (sk-, AWS keys, password=, JWTs) demonstrates the blast radius before an attacker does. An access-control test proving the conversation store cannot be read without proper authorization catches the exposure path. Together they show that a single store breach cascades into third-party account takeover.

How to prevent it

  • Minimize retention: don't keep full plaintext chat history longer than the product needs; encrypt at rest with per-user keys.
  • Detect and redact secrets in prompts server-side before persistence, and warn users who paste credentials.
  • Lock down the conversation datastore with strict auth and network isolation; assume any leak of chats is a leak of everything referenced inside them.

The Breachwire test (red → green)

Run a secret-scanner over the conversation store and confirm it finds live credentials/API keys sitting in plaintext — the RED proof that a chat breach equals a secrets breach. Add prompt-time secret detection/redaction and per-user encryption at rest, then confirm the scanner finds no recoverable secrets in newly stored conversations and that the store rejects unauthenticated reads.