OpenAI Suffers Privacy Breach: Payment Details of ChatGPT Plus Subscribers Exposed

OpenAI reveals payment-related data leak affecting a small percentage of ChatGPT Plus users during a recent service outage.

OpenAI, a leading artificial intelligence research lab, experienced a privacy breach during a recent ChatGPT service outage. On March 20, a bug in an open-source library allowed some users to see titles from another active user’s chat history. In a more concerning revelation, the same bug may have caused the unintentional visibility of payment-related information of 1.2% of ChatGPT Plus subscribers who were active during a specific nine-hour window.

The bug, now patched, had the potential to expose users’ first and last names, email addresses, payment addresses, the last four digits of their credit card numbers, and credit card expiration dates. Full credit card numbers were not exposed at any time. OpenAI believes the number of users whose data was actually revealed to someone else is extremely low. The company has reached out to notify affected users that their payment information may have been exposed.

In the original blog post from OpenAI, the company stated, “We apologize again to our users and to the entire ChatGPT community and will work diligently to rebuild trust.”

The privacy breach raises concerns about the security of user data on online platforms, even those managed by industry leaders like OpenAI. Users may question the effectiveness of security measures in place to protect their personal and financial information.

Technical details shared by OpenAI revealed the bug originated in the Redis client open-source library, redis-py. The issue occurred when a connection between the server and the cluster became corrupted, causing data to be erroneously returned to an unrelated user. OpenAI has since worked with Redis maintainers to fix the bug and has taken additional measures to ensure user data safety.

In their blog post, OpenAI detailed the actions taken, stating, “We have taken the following actions to improve our systems: Extensively tested our fix to the underlying bug. Added redundant checks to ensure the data returned by our Redis cache matches the requesting user. Programatically examined our logs to make sure that all messages are only available to the correct user.”

This incident highlights the vulnerability of online platforms to privacy breaches and the importance of robust security measures. OpenAI is committed to learning from this experience and will continue to support and contribute to the open-source community, recognizing the crucial role it plays in their research efforts.

As users rely more heavily on AI-driven platforms, it is crucial that providers like OpenAI prioritize security and privacy to maintain user trust and confidence in their services.