OpenAI: ChatGPT data leak caused by open-source bug
OpenAI's language model, ChatGPT, experienced a data leak due to an open-source bug. Learn more about the incident and its implications.
OpenAI says a Redis client open-source library bug was behind Monday's ChatGPT outage and data leak, where users saw other users' personal information and chat queries.
ChatGPT displays a history of historical queries you made in the sidebar, allowing you to click on one and regenerate a response from the chatbot.
On Monday morning, numerous ChatGPT users reported seeing other people's chat queries listed in their history.
Errrrrrrr. I was experimenting with ChatGPT @OpenAI when my prompt caused large amounts of text to be returned and a "timeout" kept occurring. However, your app is showing me OTHER PEOPLE'S chats and content now. I did not type any of these prompts or queries. pic.twitter.com/KwKsdg2W07 — hackerfantastic.crypto (@hackerfantastic) March 20, 2023
As first reported by PC Magazine, multiple ChatGPT Plus subscribers also reported seeing other people's email addresses on their subscription pages.
@OpenAI on payment page for ChatGPT Plus, it originally stated it had sent an SMS to a number I did not recognise. Then when selecting to send an email instead, it is showing an email address that I have never heard of. Form field is also pre-filled with the unknown email address pic.twitter.com/B4X5cZv2kn — Elliot (@elliotm_95) March 20, 2023
Soon after, OpenAI took ChatGPT offline to investigate an issue but did not provide details as to what caused the outage
Open-source library bug behind data leak
Today, OpenAi published a post-mortem report explaining that a bug in the Redis client open-source library caused the ChatGPT service to expose other users' chat queries and the personal information for approximately 1.2% of ChatGPT Plus subscribers.
If you use #ChatGPT be careful! There's a risk of your chats being shared to other users!
Today I was presented another user's chat history.
I couldn't see contents, but could see their recent chats' titles.#security #privacy #openAI #AI pic.twitter.com/DLX3CZntao — Jordan L Wheeler (@JordanLWheeler) March 20, 2023
"The bug was discovered in the Redis client open-source library, redis-py. As soon as we identified the bug, we reached out to the Redis maintainers with a patch to resolve the issue," OpenAI said in a post-mortem published today.
The exposed information includes a subscriber's name, email address, payment address, and the last four digits of their credit card number and expiration date.
"Upon deeper investigation, we also discovered that the same bug may have caused the unintentional visibility of payment-related information of 1.2% of the ChatGPT Plus subscribers who were active during a specific nine-hour window," explains the post-mortem.
We believe the number of users whose data was actually revealed to someone else is extremely low and we have contacted those who might be impacted. We take this very seriously and are sharing details of our investigation and plan here. 2/2 https://t.co/JwjfbcHr3g — OpenAI (@OpenAI) March 24, 2023
"In the hours before we took ChatGPT offline on Monday, it was possible for some users to see another active user's first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date. Full credit card numbers were not exposed at any time."
Number of People Exposed in Data Breach 'Extremely Low'
How many people's personal data got exposed? OpenAI claims the number of users whose data was actually revealed to someone else "is extremely low." They explained why. ChatGPT Plus subscribers would have needed to do one of the following:
- Open a subscription confirmation email sent on Monday, March 20, between 1 a.m. and 10 a.m. PT. Due to the bug, some subscription confirmation emails generated during that window were sent to the wrong users. These emails contained the last four digits of another user’s credit card number, but full credit card numbers did not appear. It’s possible that a small number of subscription confirmation emails might have been incorrectly addressed prior to March 20, although we have not confirmed any instances of this.
- In ChatGPT, click on “My Account,” then “Manage my subscription” between 1 a.m. and 10 a.m. Pacific time on Monday, March 20. During this window, another active ChatGPT Plus user’s first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date might have been visible. It’s possible that this also could have occurred prior to March 20, although we have not confirmed any instances of this.
"We have reached out to notify affected users that their payment information may have been exposed. We are confident that there is no ongoing risk to users’ data," OpenAI officials said. "Everyone at OpenAI is committed to protecting our users’ privacy and keeping their data safe. It’s a responsibility we take incredibly seriously. Unfortunately, this week we fell short of that commitment, and of our users’ expectations. We apologize again to our users and to the entire ChatGPT community and will work diligently to rebuild trust."
"We feel awful about this."
we had a significant issue in ChatGPT due to a bug in an open source library, for which a fix has now been released and we have just finished validating.
a small percentage of users were able to see the titles of other users’ conversation history.
we feel awful about this. — Sam Altman (@sama) March 22, 2023
