OpenAI has a concerning finding from its investigation of a system bug that exposed the titles of the users' chat histories. The company has reported that the bug did not only leak the titles and first messages of conversations with the chatbot but also revealed more sensitive information such as the users' complete name, address, and credit card details.
ChatGPT Bug May Have Also Leaked Sensitive Info of 1.2 Percent of Plus Subscribers
ChatGPT went offline for ten hours as OpenAI performed emergency maintenance to fix the cause of the bug. However, the company found out that the info leak due to the bug was more alarming than initially thought. The initial findings show that the bug may have "potentially revealed" the private data of 1.2% of ChatGPT Plus subscribers, the users who pay $20 per month to access extended AI chat features.
The private data include the first and last name of the active users, e-mail address, billing address, the last four digits of a credit card number, as well as the credit card's expiration date. However, OpenAI emphasized that the bug did not leak the complete credit card numbers. As ChatGPT went back online, the issue has been successfully fixed as it was identified that the bug originated from the Redis client open-source library known as redis-py.
As per Mashable, OpenAI pulled ChatGPT off the Internet 9 hours after the bug was first reported, which means that the persona data had been possibly exposed to a few people within that timeframe. People went to Reddit to report the bug with screenshots of ChatGPT sidebars containing the chat histories of other users. To note, the chat texts were not leaked but only the title of the conversations.
Related Article : OpenAI To Fix ChatGPT Bug Exposing Chat Histories
OpenAI Says Chances of Other Users Viewing Leaked Private Data are Low
OpenAI said that they already notified the ChatGPT Plus users whose information may have leaked. However, the company pointed out that the likelihood of other users seeing the leaked data is low. As reported by Engadget, one would have to complete certain actions to access other users' private data. First, a user has to "open a subscription confirmation email sent on Monday, March 20, between 1 a.m. and 10 a.m. PT." One also needs to "click on 'My Account' then 'Manage my Subscription' between 1 a.m. and 10 a.m. PT."
OpenAI said that redundant checks were added to library calls to prevent similar bugs from appearing in the future. The company also "programmatically examined" the logs to make sure that users will only receive messages that are intended for them and lastly, OpenAI made improvements with logging so that when a bug happens, they can identify when it occurred and confirm if the bug has already been stopped.
As of writing, ChatGPT is up and running, and users don't have to worry about their chat histories as these have already been restored after the emergency maintenance. The following day after the leak was reported, OpenAI CEO Sam Altman took to Twitter to apologize, saying that his team felt "awful" about the incident.