According to the operator OpenAI, sensitive information was leaked from ChatGPT users as early as March 20th. In addition to the insight into the chat history, personal data of users of the paid Plus subscription should also have been visible. The culprit was an error in the Redis client’s open source library, which has now been fixed, the provider explained.
Access to third-party data
According to OpenAI, it had to take its chatbot ChatGPT offline last Monday. Users would have had access to other people’s requests that suddenly appeared in their own history. Digging into the issue, they also found that “the same bug may have caused the unintentional visibility of payment information for 1.2% of ChatGPT Plus subscribers.”
In the hours leading up to ChatGPT’s shutdown, some users were able to see the first and last name, email and payment addresses, the last four digits of the credit card number, and the expiration date of another active user’s credit card. The full credit card numbers were never disclosed.
The Scenarios
OpenAI believes that the number of affected users whose data was actually shared with third parties is extremely small. In order to get the information of other users on Monday, OpenAI describes two different scenarios in its message: ChatGPT Plus subscribers would have an automatically generated confirmation email sent between 9 a.m. and 6 p.m. (1am to 10am PDT) for open a subscription in time – these were sent to the wrong users – or need to click on “My Account” and “Manage My Subscription” in the same time window to be able to see the data of other active ChatGPT Plus users.
OpenAI continues to speak of the “possibility” that this could have been the case before March 20th. According to the provider, there are no indications of this. One is also confident that “there is no risk to the data of the users” in which “their payment information may have been disclosed” and have informed the users concerned about the incident.
Paid Plus subscription
ChatGPT is one of the most famous, fastest growing innovations in the digital world. The chatbot has an answer to every question, if not always the right one, it still fascinates a large number of users. After just two months, ChatGPT reached the mark of 100 million active users and launched the paid Plus subscription in Germany in February of this year – customers get more stable access for around 20 euros.
The data leak has now been fixed in cooperation with the Redis developers using a patch. According to their own estimates, only a small proportion of Plus subscribers were affected by the incident. More details explained OpenAI in its communication.
(bme)
