We took ChatGPT offline earlier this week due to a bug in an open source library that allowed some users to view titles from another active user’s chat history. It is also possible that the first message of a newly created conversation was visible in someone else’s chat history if both users were active at the same time.
The bug is now patched. We were able to restore both the ChatGPT service and later its chat history feature, with the exception of a few hours of history. As promised, we are posting more technical details of this problem below.
Upon further investigation, we also discovered that the same bug may have caused the unintentional visibility of payment-related information for the 1.2% of ChatGPT Plus subscribers who were asset during a specified nine-hour window. In the hours before we took ChatGPT offline on Monday, some users might see another asset User’s first and last name, email address, payment address, last four digits (only) of a credit card number, and credit card expiration date. The full credit card numbers were not exposed at any time.
We believe that the number of users whose data has been disclosed to another person is extremely low. To access this information, a ChatGPT Plus subscriber would have to have done the following:
- Open a subscription confirmation email sent on Monday, March 20, between 1am and 10am Pacific Time. Due to the bug, some subscription confirmation emails generated during that window were sent to the wrong users. These emails contained the last four digits of another user’s credit card number, but the full credit card numbers were not listed. A small number of subscription confirmation emails may have been sent incorrectly prior to March 20, although we have not confirmed any instances of this.
- In ChatGPT, click “My Account” then “Manage My Subscription” between 1am and 10am Pacific Time on Monday, March 20. During this window, another asset The ChatGPT Plus user’s first and last name, email address, payment address, last four digits (only) of a credit card number, and credit card expiration date might have been visible. This may have also occurred before March 20, although we have not confirmed any cases of this.
We are reaching out to notify affected users that their payment information may have been exposed. We are confident that there is no ongoing risk to user data.
Everyone at OpenAI is committed to protecting the privacy of our users and keeping their data safe. It’s a responsibility we take incredibly seriously. Unfortunately, this week we did not meet that commitment or the expectations of our users. We apologize once again to our users and the entire ChatGPT community and we will work diligently to rebuild trust.
