OpenAI says there is no indication that a breach involving a third-party developer tool compromised user data.
The artificial intelligence startup issued a statement Friday (April 10) saying the issue stemmed from an attack by a North Korea-linked group on developer tool Axios.
The company said that it was taking measures to protect the process that ensures its macOS applications are legitimate OpenAI apps.
“We found no evidence that OpenAI user data was accessed, that our systems or intellectual property was compromised, or that our software was altered,” the company added.
“We are updating our security certificates, which will require all macOS users to update their OpenAI apps to the latest versions. This helps prevent any risk — however unlikely — of someone attempting to distribute a fake app that appears to be from OpenAI.”
According to the company’s announcement, the incident began March 31 when Axios was compromised as part of a wider software supply chain attack.
Advertisement: Scroll to Continue
The attack caused the GitHub Actions workflow used by OpenAI for macOS app-signing to download a malicious version of Axios. This workflow had access to “a certificate and notarization material” for signing macOS applications, which helps customers know that software comes from OpenAI.
“Our analysis of the incident concluded that the signing certificate present in this workflow was likely not successfully exfiltrated by the malicious payload due to the timing of the payload execution, certificate injection into the job, sequencing of the job itself, and other mitigating factors,” OpenAI said.
“Nevertheless, out of an abundance of caution we are treating the certificate as compromised, and are revoking and rotating it.”
Last year saw a wave of cybersecurity incidents that originated in attacks on third-party vendors, as PYMNTS has written.
Findings from PYMNTS Intelligence report, “Vendors and Vulnerabilities: The Cyberattack Squeeze on Mid-Market Firms” found that attackers frequently compromise a vendor first, then exploit the trust relationship to infiltrate their target company. The research found 38% of invoice fraud cases and 43% of phishing attacks originated with compromised vendors.
In other cybersecurity news, PYMNTS wrote last week about the way Quantum Day — the moment when commercially available quantum computers can crack widely used cryptographic systems — has ceased being a distant hypothetical.
“As a result of the shrinking strategic horizon, what was once a theoretical, deep-tech risk is instead now being operationalized into present-day procurement decisions, product roadmaps and compliance mandates,” that report said.
For all PYMNTS AI coverage, subscribe to the daily AI Newsletter.
Click Here For The Original Source.
