#Unauthorized Chats

Reported by @weary bobcat

Here is the shared link of one of the unauthorized chats: https://chatgpt.com/share/69ab2392-9924-8010-8912-f16711822a8b

Try only signing in on mobile and see if it persists, it might be a rogue browser extension or program exfiltrating your login token (which completely bypasses 2FA).

I have tried that, I logged my account out off all devices yesterday, left everything logged out and when i logged back in this morning i had more new messages

Could your email be compromised? I think you can get a code emailed instead of other 2FA

I've changed my email password too. It happens daily, I got a bunch more added early this morning, they are all single message chats all start with "Do not update memories." Then ask something like "You are a millennial comparing seven-seat SUVs. Give me detailed XC90 vs Q7 comparison on safety, technology, and family practicality?"
the first batch were all about supplments and vitamins, then moved on to EVs now these.
Short of deleting my account im not sure what else I can do here

Go to https://chatgpt.com/#settings/Security and see if there are any "Secure sign in with ChatGPT" applications.
Then go to https://chatgpt.com/apps#settings/Connectors and see if there is anything listed there.

If nothing is there, take an "unhackable" device (non-rooted phone with up-to-date OS), set up an email that can be only accessed from that device, change the OpenAI account email to it, and sign out of all other devices.

Does it look like it's an actual person using your account to ask ChatGPT things, or is it more like a prompt-farm?

Changing passwords is pointless if the device you're on is is compromised, as the login token can just be extracted and allow a malicious actor to get instantly signed into the account.

I dont see a Secure sign in with ChatGPT option, just the regular ones, i signed in using passkey, in my connector, I just have github which is connected to some of my private repos.

It looks like the messages are being made through the chat interface, but based on the type of similar questions it looks like its likely some kind of automated process, so potentially a bot, i usually see around 15-20 messages each day all with a slightly different question based on the same topic. I did a data export and ask chatgpt to analiyze it, and it provided this:

Templated, automated behavior. Every single suspicious conversation starts with the exact phrase "Do not update memories." followed by a fake persona ("I'm a teenager…", "I'm a millennial woman…", "I'm a Gen Z person…"). This is someone systematically testing supplement/vitamin queries with different demographic angles — almost certainly SEO research, affiliate marketing research, or product content generation.

Only 1 user message per conversation. Each of the 17 conversations has exactly one user message, gets a response (often with web searches), and is abandoned. Your normal conversations (#19 Tax Filing had 85 messages, #20 Email Delivery had 199 messages) are long, iterative working sessions.

Rapid-fire timing. On Feb 24 alone, 12 conversations were created between 1:13 PM and 10:10 PM, many just 6-8 minutes apart — consistent with scripted or semi-automated usage.

"Do not update memories" prefix. This is deliberate operational security by whoever is using your account — they don't want their queries polluting your ChatGPT memory, which would be a giveaway. Someone who knows how ChatGPT works did this.

Same custom instructions as yours. The conversations carry your exact custom instructions ("You are an expert who double checks things…", "Preferred name: Lee, Role: CTO…"), confirming they ran under your account, not a separate one.

Model set to "auto" instead of your usual. Your normal recent conversations use gpt-5-2-thinking explicitly. All 17 suspicious ones use auto mode — a different default choice.
No conversation template. Your legitimate conversations often use your custom GPTs (g-p-680db… templates). The suspicious ones use plain ChatGPT with no template.

Just based on vibes, I'd strongly suspect you at some point had an AI-related program or browser extension installed that got compromised or sold and is used to farm AI results for some type of analysis.
It is definitely weird that, as you said, signing out all devices doesn't stop it.

1. Are you definitely signing in with email and not Google/Apple/etc.?

2. Did you add the passkey option before or after the messages started appearing?

IMO 1) Either there is an exploit that lets them bypass getting signed out or 2) They're somehow getting in via your email. (This is the weakest link in the 2FA because you can always get the code emailed to you)

Or 3) there is some extension, app, or program that keeps exfiltrating your ChatGPT login token that you somehow missed.

I do have several browser extensions in chrome, but nothing that should be compromised or exploited, they are all legit products.

1. yes i sign in using the typed email so not using sign in with google etc.
2. passkey i added after the messages started appearing, i had on 2fa already as alway used that.

My email account also has 2fa on, so id be surpised if they were getting in via that.
If my mac if off would browser extensions still be possible to be used somehow?

The login token (for ChatGPT and/or your email account) would just have to be extracted once, e.g. right after you log in. The malicious actor can then set the token in their browser and they are immediately fully signed into your account.

Theoretically, sign in tokens should be changed/refreshed regularly by the website, but these refresh/expiration times are often too long to be truly effective and checks for things like user agent changes or IP address location often just aren't implemented.

It would surprise me if a prompt-farm goes through the trouble to repeatedly get access to your chatgpt account via your email, but who knows.

Again, my suggestion is to use some type of trusted device, either an up-to-date and not rooted Android/iOS device* or a computer with a fresh OS install, set up a new email that you can only access through that device, switch over the ChatGPT account to it, and see if this removes their access. From there you can isolate the cause of the issue.

*These device can still theoretically be compromised, but the required exploits are usually reserved for specific targets and certainly not for farming random people's ChatGPT accounts.

ok, thanks, I will give that a try. If that doesnt resolve the issue, is the best thing to just delete the account and create a new fresh one?

If the issue persists after you've ensured that there should be no reasonably viable way to gain access to your account using A) compromised login credentials B) compromised device, I'd send another email to ChatGPT support. You should try making a new account before deleting the old one to see if that one is also immediately compromised.
By the way, do you have a paid ChatGPT plan or free?

yeah i have a paid pro plan. I also use the API for severval products (ive rotated all the keys and checked all the logs so those are not compromised)

Good luck, I hope you manage to figure out what the culprit is. Did the attackers use GPT-5.2 Pro for the threads or just the normal models?

thanks, their messages were all on gpt-5-2

when analyzing the data, it did show this: Custom GPTs: Suspicious = none. My account has 98 conversations using my custom GPT templates.

That's gotta be automated then. No way a "real person" would pass up the opportunity to use a pro model when given access? (Also given how expensive they are in the APIs)

not sure if that tells anything

the custom templates are applied automatically based on the settings right? so every chat i start in the app uses them?
How would a chat start and not use them?

Not sure what you mean, you have to manually select a custom GPT to chat with its settings

You do have the account-wide information (e.g. memory, about you info and how chatgpt should respond)

they prefix all messages with "Do not update memories" so maybe its just not applying memories to the chat which that referes to

Based on your description they appear to be doing some type of research into how ChatGPT rates certain products. I could imagine they pull out the text and paste it into some SEO spam/slop website. The "Do not update memories" is probably to avoid tainting other conversations with information from the current one.

It's weird that they don't just use incognito mode, which inherently doesn't save memories and also doesn't show up in the chat history.

yeah, its definitely something really odd going on. Ill give the new email account advice a go and see if that helps and stops the messages. Its a shame we cant see where the chats originate from as that would help a lot, but apparently that information isnt stored or available

This has been a major frustration for me as well. Ever since 2FA became commonplace the go-to for basically all non-ransomware malware is to extract session tokens and upload them to the attacker, because this completely bypasses any additional authentication. It's been the cause for all the YouTubers having their accounts hacked with Elon Musk "crypto giveaways" (tricked into running some executable, e.g. fake VPN sponsor), also nearly every one of the recent supply chain attacks (NPM, pip, etc.) runs code that extracts session and API tokens. The weakness is that browsers just store the cookies and site data in a user-accessible location (so no privilege escalation required) that's some type of database (SQLite, etc.), so they just look up the sites they are interested in (usually crypto related) and send the tokens off.

Unfortunately, even if they have it, sites usually just log sign ins, which isn't triggered by a compromised token. I really appreciate Reddit for having their "Account Activity" page create a new entry every time the IP address or user agent changes, even in the same session.

At some point I had "Deep Research" points missing and wanted to figure out why, but neither the normal data export, nor the one over some separate OpenAI page I found actually contained usable activity logs in that regard.