On Friday, OpenAI confirmed the ChatGPT Data Breach caused a bug in the open-source library. Following the breach, ChatGPT was immediately taken down by OpenAI to resolve the issue, with maintainers of Redis patching the flaw which caused the revelation of the user’s information.
Users reported they were able to see another user’s conversation history titles. While later it was reported about 1.2% of ChatGPT Plus users’ payment-related information was leaked such as First and Last names, email, payment addresses, and last 4 digits of their credit card number (Full credit along with the card’s expiry date).
Key Points:
- A bug was discovered in Redis-py which is (a Redis client open-source library) which causes a data breach in OpenAI’s chat service ChatGPT.
- 1.2% of subscribers’ personal information was leaked during this breach including their first and last name, email, payment address, last four digits of their credit card number, and their expiry date. (Only the last 4-digit were exposed during the breach)
- ChatGPT was taken down by OpenAI to resolve the issue, the AI chat service reached out to Redis maintainers with a patch to solve this issue.
What caused the ChatGPT Data Breach?
The cause for ChatGPT’s Data Breach was a “Bug” which was discovered in the Redis client open-source library, Redis-py. It was reported by OpenAI, they reached out to Redis maintainers along with a patch to fix this issue.
A Redis-py library serves as a Python interface. The Developers in ChatGPT utilize Redis in the system to cache user data in their server. This helps avoid the constant need to check the database of chatbots for every request.
The bug resulted in leaking the user’s personal information such as the subscriber’s name, payment address, email, and last four digits of paid subscriber’s credit card number along with its expiry date. Following the breach, ChatGPT immediately took the server down, rendering its services out to resolve the issue.
Even after the restoration of ChatGPT was completed, users’ chat histories were kept hidden for hours to perform a post-mortem, cease the exposing of data, and take suitable action against the same.
OpenAI stated in the post-mortem, “Upon deeper investigation, it was discovered the same bug might have generated the unintentional visibility of paid subscriber’s payment-related data. About 1.2% of ChatGPT Plus subscribers’ (ChatGPT Plus is a premium version of ChatGPT that provides GPT-4 features and responses) data were released who were active during the particular nine-hour window.”
Before ChatGPT was turned offline following the bug issue and subscriber’s data leak on Monday 20th March, a few users conveyed they were able to witness another active user’s personal details such as their first and last name, payment address, email, and last 4-digit of their credit card number (full credit card number was not exposed in the information leak) and expiry date.
OpenAI stated a very low number of ChatGPT Plus subscribers’ data were leaked, and specific actions were taken place to resolve this issue such as:
A subscription confirmation mail was sent to all the paid users whose data were leaked on 20th March, at 1 a.m. and 10 a.m. Users can then confirm their subscription by simply tapping on “My Account” on ChatGPT Plus and then navigating to “Manage my subscription” from 1 a.m. to 10 a.m. on Pacific time. In addition, OpenAI claimed they contacted all the affected ChatGPT Plus subscribers whose payment details were leaked due to a bug to ensure the safety of their subscribers.
If you use #ChatGPT be careful! There's a risk of your chats being shared to other users!
— Jordan L Wheeler (@JordanLWheeler) March 20, 2023
Today I was presented another user's chat history.
I couldn't see contents, but could see their recent chats' titles.#security #privacy #openAI #AI pic.twitter.com/DLX3CZntao
OpenAI’s response to the information leak
OpenAI’s CEO Sam Altman, took to his Twitter on 23rd March, addressing the issue, saying “We encountered a significant problem in ChatGPT due to a bug in the open source library, for which a solution now has been cast and we have just completed validating the issue.”
“A small number of subscribers were able to see the titles of other users’ ChatGPT conversation history during this case. We feel terrible about this.”
Sam Alman also said via his Twitter account, “Unfortunately, users will be unable to see their ChatGPT chat history from Monday 1 am PDT until 10 am Monday PDT” We will follow up with a technical postmortem.
