On Monday, March 20, OpenAI's ChatGPT encountered a bug that allowed some users of the chatbot to see chats from other people from between 1 am to 10 pm Pacific time. The bug was found and fixed, and OpenAI has since explained the technical details of the bug.
However, it turns out that more might have been visible in that nine-hour window than just some chats. OpenAI has now revealed that a tiny percentage of subscribers, about 1.2 percent, to its paid ChatGPT Plus service may have had personal, and partial payment, info visible to others as well.'
In the hours before we took ChatGPT offline on Monday, it was possible for some users to see another active user’s first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date. Full credit card numbers were not exposed at any time.
OpenAI believes that the number of ChatGPT Plus users who actually had personal and payment info visible during that time frame was "extremely low". Having said that, the company is contacting the people who may have had their information revealed.
While OpenAI says it is committed to user privacy, it admits that for the past week "we fell short of that commitment, and of our users’ expectations." If offered its apologies and stated it "will work diligently to rebuild trust."
As far as the technical details of the ChatGPT bug, OpenAI stated it centered on the Redis client open-source library. It's used by the chatbot to "cache user information in our server". It stated:
At 1 a.m. Pacific time on Monday, March 20, we inadvertently introduced a change to our server that caused a spike in Redis request cancellations. This created a small probability for each connection to return bad data.
Again, the bug has since been fixed.
6 Comments - Add comment