OpenAI was forced to take its popular ChatGPT bot offline for emergency maintenance on Tuesday after a user was able to exploit a bug in the system to retrieve the titles of other users’ chat histories. On Friday, the company announced its initial incident findings.
In the incident on Tuesday, users posted screenshots on Reddit showing their ChatGPT sidebars featuring previous chat stories from other users. Only the title of the conversation was visible, not the text itself. OpenAI, in response, took the bot offline for nearly 10 hours to investigate. The results of that investigation revealed a deeper security issue: the chat history bug could have also revealed personal data of 1.2 percent of ChatGPT Plus subscribers (a $20/month enhanced access package).
“In the hours before we took ChatGPT offline on Monday, it was possible for some users to see first and last name, email address, payment address, the last four digits (only) of a credit card number, and the other user’s credit card active. expiration date. Full credit card numbers were not exposed at any time,” the OpenAI team wrote on Friday. The issue has since been fixed for the faulty library that OpenAI identified such as the open source Redis client library, redis-py.
The company has downplayed the likelihood of such a breach occurring, arguing that any of the following criteria would have to be met to put a user at risk:
– Open a subscription confirmation email sent on Monday, March 20, between 1am and 10am Pacific Time. Due to the bug, some subscription confirmation emails generated during that window were sent to the wrong users. These emails contained the last four digits of another user’s credit card number, but the full credit card numbers were not listed. A small number of subscription confirmation emails may have been sent incorrectly prior to March 20, although we have not confirmed any instances of this.
– In ChatGPT, click “My Account” then “Manage My Subscription” between 1am and 10am Pacific Time on Monday, March 20. During this window, another asset The ChatGPT Plus user’s first and last name, email address, payment address, last four digits (only) of a credit card number, and credit card expiration date might have been visible. This may have also occurred before March 20, although we have not confirmed any cases of this.
The company has taken additional steps to prevent this from happening again in the future, including adding redundant checks to library calls, “programmatically examined our logs to ensure all messages are only available to the correct user” and “improved logging to identify when this is happening and fully confirm that it has stopped.” The company says it also reached out to alert affected users of the issue.
This news follows a costly public faux pas by Google rival Bard AI in February, when it incorrectly claimed to Twitter that JWST was the first telescope to image an exoplanet, as well as revelations that CNET had surreptitiously used generative AI to write financial explanatory posts (a week earlier lay off a considerable part of its editorial department). Whether OpenAI will suffer the same market repercussions as its competitors remains to be seen.
