OpenAI Reports Bug Exposed Sensitive User Data from ChatGPT

OpenAI temporarily took its widely popular ChatGPT bot offline for emergency maintenance after a user discovered a system bug that allowed access to titles of other users' chat histories. The company disclosed initial findings from the incident on Friday.

Users reported on Reddit that their ChatGPT sidebars displayed previous chat titles from other users, with only the titles visible and not the content. To address the issue, OpenAI took the bot offline for nearly 10 hours for a thorough investigation. Findings revealed a deeper security concern: the bug may have exposed personal data for 1.2% of ChatGPT Plus subscribers—those paying $20 per month for enhanced access.

According to OpenAI, before the shutdown, some users could view the first and last names, email addresses, payment addresses, the last four digits of credit card numbers, and credit card expiration dates of other active users. However, full credit card numbers were not disclosed. The vulnerability was traced back to a faulty open-source library, redis-py, which has since been patched.

OpenAI emphasized that the likelihood of a security breach is low, requiring specific conditions to be met:

1. Subscription confirmation emails sent on March 20, between 1 a.m. and 10 a.m. Pacific time, may have been incorrectly addressed, revealing the last four digits of another user’s credit card number to the wrong recipient. Full credit card numbers were not included.

2. Users accessing “My account” and selecting “Manage my subscription” during the same timeframe might have seen another user’s personal information, including names and payment details. Instances prior to March 20 have not been confirmed.

The company has implemented additional security measures, including redundant checks and enhanced logging to ensure that users’ messages remain private. Affected users have been notified about the incident.

This incident comes on the heels of Google’s Bard AI mistakenly assuring the public about the James Webb Space Telescope's capabilities and CNET's controversial use of generative AI for financial reporting just before significant layoffs. It remains uncertain how OpenAI’s reputation will be impacted in the competitive landscape following this event.