OpenAI He says there is no indication that the hack involving a third-party developer tool resulted in user data being compromised.
The artificial intelligence startup A statement On Friday (April 10) it said the issue was caused by an attack on the developer tool by a North Korea-linked group Axios.
The company said it is taking measures to protect the process that ensures its macOS apps are legitimate OpenAI apps.
“We have found no evidence that OpenAI user data was accessed, that our systems or intellectual property was compromised, or that our software was changed,” the company added.
“We are updating our security certificates, which will require all macOS users to update their OpenAI apps to the latest versions. This helps prevent any risk – no matter how unlikely – of someone trying to distribute a fake app that appears to be from OpenAI.”
According to the company’s announcement, the incident began on March 31 when Axios was hacked as part of a broader program. Supply chain attack.
Advertisement: Scroll to continue
The attack caused the GitHub Actions workflow that OpenAI uses to sign a macOS app to download a malicious version of Axios. This workflow had access to “Certificate and Authentication Materials” for signing macOS apps, helping customers know that the software comes from OpenAI.
“Our analysis of the incident concluded that the signing certificate contained in this workflow was most likely not successfully exfiltrated by the malicious payload due to the timing of the payload execution, the injection of the certificate into the job, the sequence of the task itself, and other mitigating factors,” OpenAI said.
“However, out of an abundance of caution, we are treating the certification as compromised, and are rescinding and recycling it.”
Last year saw a wave of cybersecurity incidents arising from attacks on Third Party Sellersas PYMNTS wrote.
PYMNTS Intelligence Report Findings, “Vendors and Vulnerabilities: Cyber Attack Stresses Mid-Market Companies” I found that attackers often compromise the vendor first, then exploit the trust relationship to infiltrate the target company. The research found that 38% of invoice fraud and 43% of phishing attacks originated from compromised sellers.
In other cybersecurity news, PYMNTS wrote about the method last week Quantum Day The moment when commercially available quantum computers can crack widely used encryption systems is no longer just a far-fetched assumption.
“As a result of the shrinking strategic horizon, what was once a theoretical and deep-seated technology risk is now being operationalized in existing purchasing decisions, product roadmaps and compliance mandates,” that report said.
For all of our PYMNTS AI coverage, subscribe to our daily newsletter Amnesty International newsletter.
