OpenAI recently disclosed that a recent bug in ChatGPT has exposed not only some users’ chat history but also potentially leaked payment information of its paid subscribers.
Earlier this week, OpenAI announced in a blog post that it has resolved and rectified the bug that temporarily disabled access to the chatbot. The bug allowed some individuals to view the chat history of other users, which is an unusual privacy violation that one wouldn’t typically worry about since there is currently no way to link personal accounts in a team setting.
In addition to the privacy breach, OpenAI has stated that the bug has caused the accidental visibility of payment-related information for 1.2% of ChatGPT Plus subscribers. While complete payment card numbers were not exposed, the rest of the payment information, including users’ names and addresses, was compromised.
Upon deeper investigation, we also discovered that the same bug may have caused the unintentional visibility of payment-related information of 1.2% of the ChatGPT Plus subscribers who were active during a specific nine-hour window. In the hours before we took ChatGPT offline on Monday, it was possible for some users to see another active user’s first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date. Full credit card numbers were not exposed at any time.
OpenAI has confirmed that the bug has been fixed, and any ChatGPT Plus subscribers affected are being notified. If you are a paying subscriber, the company has outlined the steps it is taking to address the issue:
- We conducted comprehensive testing to ensure the bug fix was effective.
- We implemented redundant checks to ensure that the data returned by our Redis cache corresponds to the requesting user.
- We programmatically reviewed our logs to ensure only the intended user can access the messages.
- We correlated multiple data sources to identify and notify the affected users accordingly and accurately.
- We enhanced our logging mechanism to detect and confirm the issue promptly has been resolved.
- We bolstered the robustness and scalability of our Redis cluster to minimize connection errors during high-traffic periods.
OpenAI has not publicly announced whether it will offer any program to ensure the protection of affected users’ information by a third-party service, although the company claims to notify those who were impacted by the data exposure. It is common for companies to provide free access to a third-party data or identity protection service for a certain period when a data leak or breach occurs. The affected users will have to decide if OpenAI’s approach to addressing the issue satisfies them.