OpenAI Was Hacked in 2023 but Did Not Disclose the Breach

According to sources cited by The New York Times, OpenAI’s internal employee forum was hacked in 2023, and an attacker managed to steal data from it. OpenAI did not publicly disclose the incident or notify law enforcement, stating that the hacker did not access customer or partner information and that the attack was not considered a national security threat.

OpenAI executives informed employees about the breach but downplayed its significance, claiming it was carried out by a single individual not connected to any foreign governments. The hack did not affect customer or partner data, nor did it impact systems used to store or develop OpenAI’s AI products.

Nevertheless, according to anonymous sources and the publication, the incident sparked intense internal debate within OpenAI about the company’s approach to security.

“After the breach, Leopold Aschenbrenner, OpenAI’s technical program manager responsible for ensuring future AI technologies could not cause serious harm, sent a memo to the OpenAI board of directors. In it, he claimed the company was not taking sufficient measures to prevent Chinese and other foreign governments from stealing its secrets,” reports The New York Times.

Earlier this year, Aschenbrenner was fired, allegedly for leaking information. However, he disputes this. In a June 2024 podcast with Dwarkesh Patel, Aschenbrenner said:

“OpenAI told employees I was fired for a data leak. I and others pressed them for details about what exactly was leaked. Their answer was: at some point last year, I wrote a brainstorming document about future preparedness, safety, and protection measures needed on the path to AGI. I shared this document with three external researchers for feedback. That was the leak. Before sharing, I checked the document to ensure it contained no confidential information.”

In the same podcast, Aschenbrenner hinted at the aforementioned hack and stated that OpenAI’s security is clearly insufficient to protect its key secrets, especially if the company were targeted by foreign hackers.