OpenAI admits that a bug allowed ChatGPT to leak some users' credit card information
OpenAI put up a blog post yesterday explaining why it had to take down its conversational AI chatbot ChatGPT on March 20th. The blame is placed on a bug related to an open-source library that allowed users to see titles from another active user's history. The first message of a new conversation could also be seen in someone else's chat history if both users were using the chatbot at the same time.
But even scarier is that OpenAI admits that the same bug might be responsible for leaking payment-related information for a limited number of ChatGPT users who were using the platform over a specific time period. Before OpenAI took ChatGPT offline for a few hours last Monday, some subscribers could see another active user's first and last name, email address, payment address, the last four digits of a credit card number, and credit card expiration date. The bug did not allow full credit card numbers to be leaked.
1.2% of ChatGPT Plus subscribers active during a 9-hour window were vulnerable to having their credit card info leaked
Only 1.2% of the ChatGPT Plus subscribers active during a nine-hour window had this payment information revealed. Open AI writes, "We believe the number of users whose data was actually revealed to someone else is extremely low." To access the aforementioned personal data, someone would have had to open a subscription confirmation email sent on Monday, March 20, between 1 a.m. and 10 a.m. Pacific time.
A small number of ChatGPT Plus subscribers had their payment information leaked last week
ChatGPT Plus is a premium service that costs $20 per month promising access to the Chatbot even during peak times. It also delivers faster results and priority access to improvements and new features.
Because of a bug, some of these emails went to the wrong subscribers and contained the last four digits of another user's credit card number. A small number of such emails might have gone out before March 20th but this has yet to be confirmed by the company.
Those impacted by the bug have been notified and the flaw has been patched
Another way to obtain someone else's payment information was to click on "My Account," and then "Manage my subscription" on ChatGPT between 1 am and 10 am Pacific time on Monday, March 20. While in this window, another user's first and last name, email address, payment address, the last four digits of a credit card number, and the credit card expiration date could have been viewed. This also might have been available before March 20th although OpenAI has been unable to confirm this.
The good news is that the bug has been patched and the service put back up. OpenAI says that it got in touch with users who were possibly affected and told them that their payment information might have been exposed. The company says that it is confident that there is no "ongoing risk" to the personal data belonging to users.
The company adds that "Everyone at OpenAI is committed to protecting our users’ privacy and keeping their data safe. It’s a responsibility we take incredibly seriously. Unfortunately, this week we fell short of that commitment, and of our users’ expectations. We apologize again to our users and to the entire ChatGPT community and will work diligently to rebuild trust."
In the blog post, OpenAI says that it has taken the following actions to improve the platform:
- Extensively tested our fix to the underlying bug.
- Added redundant checks to ensure the data returned by our Redis cache matches the requesting user.
- Programatically examined our logs to make sure that all messages are only available to the correct user.
- Correlated several data sources to precisely identify the affected users so that we can notify them.
- Improved logging to identify when this is happening and fully confirm it has stopped.
- Improved the robustness and scale of our Redis cluster to reduce the likelihood of connection errors at extreme load.
Things that are NOT allowed: