OpenAI’s discontinuation of the public Sora API on March 24, 2026 creates a third-party dependency risk event rather than a traditional vulnerability: organizations must inventory and revoke orphaned Sora API credentials, audit dependent workflows, and apply security review to any replacement AI video generation services being evaluated. A secondary threat surface has emerged with unverified reports of threat actors exploiting ‘Sora 2’ anticipation through credential theft phishing campaigns; security teams should brief developers and monitor email gateways for spoofed Sora-successor domains. Two additional claims—a credential theft campaign and an audio-channel prompt injection vulnerability—originate from Tier 3 sources and should not be operationalized without independent corroboration from OpenAI advisories or established threat intelligence outlets.