OpenAI: ChatGPT payment data leak caused by open-source bug


OpenAI says a Redis client open-source library bug was behind Monday’s ChatGPT outage and data leak, where users saw other users’ personal information and chat queries.

ChatGPT displays a history of historical queries you made in the sidebar, allowing you to click on one and regenerate a response from the chatbot.

On Monday morning, numerous ChatGPT users reported seeing other people’s chat queries listed in their history.

HackerFantastic tweet about ChatGPT data leak

As first reported by PC Magazine, multiple ChatGPT Plus subscribers also reported seeing other people’s email addresses on their subscription pages.

Tweet about leaked emails

Soon after, OpenAI took ChatGPT offline to investigate an issue but did not provide details as to what caused the outage

Status message during ChatGPT outageStatus message during ChatGPT outage

Open-source library bug behind data leak

Today, OpenAi published a post-mortem report explaining that a bug in the Redis client open-source library caused the ChatGPT service to expose other users’ chat queries and the personal information for approximately 1.2% of ChatGPT Plus subscribers.

“The bug was discovered in the Redis client open-source library, redis-py. As soon as we identified the bug, we reached out to the Redis maintainers with a patch to resolve the issue,” OpenAI said in a post-mortem published today.

The exposed information includes a subscriber’s name, email address, payment address, and the last four digits of their credit card number and expiration date.

“Upon deeper investigation, we also discovered that the same bug may have caused the unintentional visibility of payment-related information of 1.2% of the ChatGPT Plus subscribers who were active during a specific nine-hour window,” explains the post-mortem.

“In the hours before we took ChatGPT offline on Monday, it was possible for some users to see another active user’s first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date. Full credit card numbers were not exposed at any time.”

OpenAI says that the number of people whose data was exposed is likely to be very low as it required specific actions to take place, including:

  • Open a subscription confirmation email sent on Monday, March 20, between 1 a.m. and 10 a.m. Pacific time. 
  • In ChatGPT, click on “My account,” then “Manage my subscription” between 1 a.m. and 10 a.m. Pacific time on Monday, March 20.

The company says they are contacting all affected ChatGPT users who had their payment information exposed.

OpenAI CEO Sam Altman apologized for the leaks Wednesday night on Twitter.

“We had a significant issue in ChatGPT due to a bug in an open source library, for which a fix has now been released and we have just finished validating. a small percentage of users were able to see the titles of other users’ conversation history,” Altman shared in a tweet.

“We feel awful about this.”


Related posts

Microsoft Defender network protection generally available on iOS, Android

Sarah Henriquez

Cisco discloses high-severity IP phone zero-day with exploit code

Sarah Henriquez

New info-stealer malware infects software pirates via fake cracks sites

Sarah Henriquez

Leave a Comment