ChatGPT's embarrassing glitch last week may have resulted in a more extensive leak, including actual chat messages between users and the chatbot, personally identifiable data, as well as credit card information.
Last Monday the hugely-popular ChatGPT glitched due to a bug in an open source library, OpenAI said.
The bug stemmed from the Redis client open-source library, redis-py, OpenAI researchers later discovered.
The mishap caused ChatGPT to share some users’ chat histories with others. As the chatbot’s makers rushed to address the flaw, it was initially believed that only individual chat titles had been leaked - not the substance of the chats themselves.
But according to a more recent update from the AI lab, that assumption may have been false.
“It’s also possible that the first message of a newly-created conversation was visible in someone else’s chat history if both users were active around the same time,” the research lab says.
“The same bug may have caused the unintentional visibility of payment-related information of 1.2% of the ChatGPT Plus subscribers who were active during a specific nine-hour window,” the update further reveals.
The extent of the leak could be even bigger than that, albeit not easy to exploit. OpenAI says in the hours before it took down the service, it was possible for some users to see another active user’s first and last name, email address, payment address, the last four digits of a credit card number, and credit card expiration date.
According to the company, full credit card numbers were not exposed at any time, while the number of users whose data was actually revealed to someone else is believed to be “extremely low." Also, to access this information, a ChatGPT Plus subscriber would have needed to perform quite a few specific actions, as detailed in the memo.
OpenAI has reached out to notify affected users that their payment information may have been exposed, but maintains that it is confident there is no ongoing risk to users’ data.
“Everyone at OpenAI is committed to protecting our users’ privacy and keeping their data safe,” the apologetic notice reads. “It’s a responsibility we take incredibly seriously. Unfortunately, this week we fell short of that commitment, and of our users’ expectations. We apologize again to our users and to the entire ChatGPT community and will work diligently to rebuild trust.”
OpenAI's update includes some technical details about the glitch, revealing that the bug stemmed from recycled request connections.
The company says it has added redundant checks to fully avoid mis-matching the person making the request, and “programatically examined” its logs to ensure all messages are only available to the correct user.
tags
Filip has 15 years of experience in technology journalism. In recent years, he has turned his focus to cybersecurity in his role as Information Security Analyst at Bitdefender.
View all postsDecember 19, 2024
November 14, 2024