OpenAI says employee data stolen

OpenAI said on May 14 that hackers stole some internal data after a supply-chain attack hit two employee devices, while a separate class-action complaint filed in California accused the company of sharing ChatGPT web data with Google and Meta through tracking tools. The company said the breach was limited to employee devices and certain internal repositories, and that it found no evidence user data or production systems were accessed. The lawsuit makes broader privacy allegations about ChatGPT.com that OpenAI had not publicly addressed in the materials reviewed. Together, the two developments put OpenAI’s security controls and privacy practices under fresh scrutiny as ChatGPT expands into education and workplace use. ### Which systems did OpenAI say were actually hit? OpenAI said two employee devices in its corporate environment were affected by the TanStack npm compromise on May 11, 2026 UTC. In a company post dated May 13, OpenAI said it saw unauthorized access and theft of credentials from “a limited subset of internal source code repositories” available to those employees. (techcrunch.com) TechCrunch reported on May 14 that the malicious TanStack packages were part of a broader software supply-chain attack and were designed to steal credentials and spread to other systems. TanStack said hackers published 84 malicious versions of its software during a six-minute window and that a researcher detected the attack within 20 minutes. (openai.com) ### What did OpenAI say was not affected? OpenAI said it found no evidence that user data was accessed, that production systems or intellectual property were compromised, or that its software was altered. Reuters, citing the company on May 14, reported that only limited credential material was exfiltrated from the affected repositories and that no other information or code was impacted. (techcrunch.com) The company said it isolated the affected systems and temporarily restricted code-deployment workflows as part of containment. OpenAI also said it was rotating code-signing certificates tied to its macOS applications as a precaution. ### Why are Mac users being told to update OpenAI apps? OpenAI said the affected repositories contained digital certificates used to sign its products, prompting the company to replace those certificates. (usnews.com) The company said all macOS users must update OpenAI apps to the latest versions by June 12, 2026. OpenAI said the update is intended to protect the process that certifies its macOS applications are legitimate and that it found no evidence of compromise or risk to existing software installations. (usnews.com) Reporting by TechRepublic and The Hacker News described the move as a response to exposed signing material linked to the broader TanStack attack. ### What does the new privacy lawsuit allege about ChatGPT.com? (openai.com) A proposed class action filed in the U.S. District Court for the Southern District of California alleges that OpenAI embedded Meta Pixel and Google Analytics in the ChatGPT web interface and transmitted user chat topics, identifiers and contact details without consent. Cybersecurity News identified the plaintiff as California resident Amargo Couture and said the complaint seeks relief on behalf of U.S. users who entered queries into ChatGPT.com. (openai.com) Futurism reported on May 14 that the complaint alleges user chat queries and identifying information such as emails and user IDs were shared with Google and Meta. The complaint, as described by Cybersecurity News and Futurism, cites the federal Electronic Communications Privacy Act and California privacy law. ### Why does this matter for students and other heavy ChatGPT users? (cybersecuritynews.com) ChatGPT is used for schoolwork, tutoring and personal advice, and the complaint described by Cybersecurity News says users often submit questions involving finances, health and legal issues. Futurism reported that many users treat chatbots as a place for emotional support or other highly personal exchanges, which is why the alleged sharing of query data would be significant if proved in court. (cybersecuritynews.com) OpenAI has also been pushing further into student use. The company’s news page lists an “OpenAI Campus Network” item published on May 11, 2026, underscoring that education remains an active audience for the company while privacy and security questions continue to surface. ### What happens next? June 12, 2026 is OpenAI’s deadline for macOS users to update affected applications after the certificate rotation. In court, the privacy case identified by Cybersecurity News as filed in the Southern District of California will proceed through the early stages of class-action litigation unless it is dismissed, settled or otherwise narrowed by the parties. (cybersecuritynews.com) (openai.com 1) (openai.com 2)