OpenAI Says Bug Revealed ChatGPT Sensitive User Data

The ChatGPT bug that came up a few days ago was a little more serious than what was advertised. Personal data of ChatGPT Plus subscribers may have been exposed.

OpenAI was forced to shut down its popular ChatGPT chatbot a few days ago after a user managed to exploit a loophole in the system to get other users’ chat title history. The company today released its first findings on this incident, which ended up being more serious than originally stated.

A ChatGPT bug that occurred a few days ago turned out to be a little more serious than announced

In an incident earlier this week, users posted screenshots of their ChatGPT sidebar on Reddit showing the titles of other users’ previous conversations. Titles only. OpenAI, in response to this serious issue, has taken the decision to shut down their chatbot, a service interruption that lasted nearly 10 hours, time to look into the matter. The results of this analysis revealed a rather serious security issue: a chat history bug could also have leaked the personal data of approximately 1.2% of ChatGPT Plus subscribers – a $20 per month subscription -.

“In the hours before the ChatGPT shutdown, some users could see first and last name, email address, billing address, last four digits and credit card expiration date, other active users. Full credit card numbers have never been released,” says the OpenAI team. The issue has been fixed, the vulnerability was in a third party open source Redis client library, redis-py.

Personal data of ChatGPT Plus subscribers may have been exposed

However, the company wanted to minimize the scope of this disclosure by explaining the criteria that must be met for effective disclosure of this personal data: “Open the registration confirmation email sent on Monday, March 20 between 1:00 AM and 10:00 AM (Pacific Time Zone). Due to a bug, some of these emails generated during this time window were sent to the wrong users. These emails contained the last four digits of the credit card number, but not the full number. It is possible that a small number of confirmation emails were sent prior to March 20, but we have no confirmation of such cases.” Another possible scenario: “In ChatGPT, click on ‘My Account’ then ‘Manage My Subscription’ between 1:00 AM and 10:00 AM PT this Monday, March 20th. During this time window, the last name, first name, billing address, last four digits, and credit card expiration date of another active ChatGPT Plus user could be visible. It is possible that this could happen before March 20, but we do not have confirmation of any such case.

The company has taken additional steps to prevent this error from happening again, including adding redundant checks when calling such libraries, “systematically reviewing our logs to make sure all messages are only available to the right users”and “by improving the logs to identify when such an incident occurs and be able to confirm exactly when it disappeared.”The company also explains that it has contacted users affected by the topic.