{"id":14094,"date":"2026-07-06T10:03:37","date_gmt":"2026-07-06T10:03:37","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/06\/hackers-abuse-openai-org-invites-to-harvest-sensitive-prompts-and-api-activity\/"},"modified":"2026-07-06T10:03:37","modified_gmt":"2026-07-06T10:03:37","slug":"hackers-abuse-openai-org-invites-to-harvest-sensitive-prompts-and-api-activity","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/06\/hackers-abuse-openai-org-invites-to-harvest-sensitive-prompts-and-api-activity\/","title":{"rendered":"Hackers Abuse OpenAI Org Invites to Harvest Sensitive Prompts and API Activity"},"content":{"rendered":"<p>    Hackers Abuse OpenAI Org Invites to Harvest Sensitive Prompts and API Activity<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">Hackers are actively <a href=\"https:\/\/cybersecuritynews.com\/hackers-attacking-android-users-with-fake-chatgpt\/\" target=\"_blank\" rel=\"noreferrer noopener\">abusing OpenAI\u2019s organization invitation feature<\/a> to launch a new form of \u201cpoisoned tenant\u201d attack, allowing them to harvest sensitive prompts, API activity, and potentially corporate data from unsuspecting users.<\/p>\n<p class=\"wp-block-paragraph\">According to research disclosed by Push Security, attackers created a fake OpenAI organization using the company\u2019s name, \u201cPush Security Inc,\u201d and sent targeted invitations to employees.<\/p>\n<p class=\"wp-block-paragraph\">These emails were not spoofed or malicious in the traditional sense. They originated from OpenAI\u2019s legitimate notification system (noreply@tm.openai.com), passed authentication checks, and appeared identical to genuine collaboration invites.<\/p>\n<p class=\"wp-block-paragraph\">The only warning sign was a small notice indicating that the inviter\u2019s domain did not match the recipient\u2019s corporate domain.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhsFjak2sNXV2sqL5hW7SVKVUM_3IBnT533h6JE_vsVI281iPxHw51eWNtS92D-W6teK6s0RucvEWCDeMkTUW9VLA6hlUYoEXKVVOPO8BQIftyPfKLpDfM6kABXp764oEx4aiStN-wDt9y32Gtl_8_36cBZIeZnHU8TM2R3UcuQQQAFlKFwwRVOurCV7s8\/s1600\/Screenshot%25202026-07-06%2520124318%2520%25281%2529.webp?ssl=1\" alt='Invitation email showing OpenAI branding, \"Push Security Inc\" org name, and the Gmail sender address ( source : pushsecurity )'><figcaption class=\"wp-element-caption\">Invitation email showing OpenAI branding, \u201cPush Security Inc\u201d org name, and the Gmail sender address ( source: Pushsecurity )<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">However, this detail can be easily overlooked, especially when the email otherwise looks fully legitimate and references real company information.<\/p>\n<h2 id=\"h-hackers-abuse-openai-org-invites\" class=\"wp-block-heading\"><strong>Hackers Abuse OpenAI Org Invites<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">Once a recipient clicks the invitation link, the attack becomes particularly dangerous. Researchers found that joining the organization required just a single click, with no additional authentication or verification step.<\/p>\n<p class=\"wp-block-paragraph\">Even from a fresh browser session with no prior login, the account was instantly linked to the attacker-controlled tenant.<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/pushsecurity.com\/blog\/openai-poisoned-tenant-attack\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">According to Push Security,<\/a> attackers made the fake organization appear legitimate by impersonating a company executive and granting all invited users Owner privileges with full administrative access.<\/p>\n<p class=\"wp-block-paragraph\">A credit card had also been added to the account, likely to remove friction and avoid raising suspicion if users attempted to access paid features.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhemW1TvD7qB1So1hybq7LP2gAcPQhYgJp3t9LAjyDRtOOSk-Tmyg-xh_X32WyHVGw80ph3sa3A5015dl_Kyo4OzTrrigIayMKBlLEgTHTe92kT-mgQjeAKW7WvOdtjs-DmNZZBwHTSqSIquZqERkm0jK04OgB3CXKaRiyZTml37tH1VdF9aoUrKFVOfS0\/s1600\/Screenshot%25202026-07-06%2520124406%2520%25281%2529.webp?ssl=1\" alt=\"Settings screen showing the organization name \u201cPush Security Inc\u201d  ( source : pushsecurity )\"><figcaption class=\"wp-element-caption\">Settings screen showing the organization name \u201cPush Security Inc\u201d ( source: Pushsecurity )<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">The real objective of the attack is not immediate credential theft, but long-term data harvesting. If an employee assumes the organization is legitimate and begins using it for work, any prompts, uploaded data, or API usage could be visible to the attacker.<\/p>\n<p class=\"wp-block-paragraph\">This may include source code, internal documents, security research, or customer information. This technique builds on the \u201cpoisoned tenant\u201d concept first described in 2023, where attackers create fake<a href=\"https:\/\/cybersecuritynews.com\/ecommerce-saas-threats-shielding-online-stores-from-hidden-dangers\/\" target=\"_blank\" rel=\"noreferrer noopener\"> SaaS environments<\/a> to trick users into joining.<\/p>\n<p class=\"wp-block-paragraph\">In this case, the attack leverages the growing role of AI platforms as enterprise productivity hubs. As employees increasingly rely on tools like ChatGPT for daily workflows, the value of captured prompt data becomes significantly higher.<\/p>\n<p class=\"wp-block-paragraph\">Push Security researchers warn attackers could escalate access by sharing malicious chats, injecting harmful prompts, or abusing third-party integrations.<\/p>\n<p class=\"wp-block-paragraph\">This creates opportunities for data exfiltration, <a href=\"https:\/\/cybersecuritynews.com\/hackers-abuse-oauth-device-authorization-flow\/\" target=\"_blank\" rel=\"noreferrer noopener\">OAuth abuse<\/a>, or lateral movement across connected services such as email, cloud storage, and collaboration tools.<\/p>\n<p class=\"wp-block-paragraph\">The campaign is part of a broader trend where threat actors weaponize trusted SaaS platforms as delivery channels.<\/p>\n<p class=\"wp-block-paragraph\">Recent reports from Kaspersky and Cisco Talos highlight similar abuse across OpenAI, GitHub, and Jira, where attackers embed malicious content into platform-generated notifications.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjGYtgbPyxQ9mwaMr6A0QTUcG1kUsjCipZK4H2rTWyl3CAkaqJMLgMivu-KZk4ihOPJ9SKHx2W3bx01tbL6xD8XERXdlQ2X4e1BWg4uDWB3pnfaebNOasBIBLuhX6Ph-NxQgJ7-HBEIVlR0Kacl-4yBU3Cvzq8mG2x71Q0GVY490ABkInpd4mxKenbqI3M\/s1600\/Screenshot%25202026-07-06%2520124432%2520%25281%2529.webp?ssl=1\" alt=\"The recently disclosed LLMShare attack used ChatGPT to distribute malware ( source : pushsecurity )\"><figcaption class=\"wp-element-caption\">The recently disclosed LLMShare attack used ChatGPT to distribute malware ( source: Pushsecurity )<\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">Because these messages come from legitimate domains, they bypass many traditional security controls. Defending against this technique is challenging because there are no obvious indicators, such as <a href=\"https:\/\/cybersecuritynews.com\/fake-invitation-phishing-campaign\/\" target=\"_blank\" rel=\"noreferrer noopener\">malicious links or spoofed domains<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">The infrastructure used is entirely legitimate. Instead, organizations must focus on visibility into SaaS usage, monitoring which external tenants\u2019 employees join, and educating users that even authentic platform emails can carry security risks.<\/p>\n<p class=\"wp-block-paragraph\">This incident highlights a growing security gap in modern enterprises. As SaaS and AI platforms continue to expand, their built-in collaboration features are becoming a powerful attack surface.<\/p>\n<p class=\"wp-block-paragraph\">Without stronger controls, such as domain verification enforcement or restricted organization joining, attackers will continue to exploit these trusted systems to collect sensitive data silently.<\/p>\n<p class=\"has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 87%,rgb(169,184,195) 100%)\"><strong>\u00a0Strengthen Your SOC by Accelerating Threat Detection &amp; Rapid Investigations.\u00a0-&gt; <a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Integrate ANY.RUN With Your SOC <\/a><strong><a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Now<\/a><\/strong>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/hackers-use-openai-org-invites\/\">Hackers Abuse OpenAI Org Invites to Harvest Sensitive Prompts and API Activity<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/hackers-use-openai-org-invites\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers Abuse OpenAI Org Invites to Harvest Sensitive Prompts and API Activity Hackers are actively abusing OpenAI\u2019s organization invitation feature to launch a new form of \u201cpoisoned tenant\u201d attack, allowing them to harvest sensitive prompts, API activity, and potentially corporate data from unsuspecting users. According to research disclosed by Push Security, attackers created a fake [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,165],"tags":[130],"class_list":["post-14094","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-openai","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14094"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14094"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14094\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14094"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14094"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14094"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}