We decided to take ChatGPT down this week because of an issue with one of the open-source libraries. This bug permitted people to view conversational threads belonging to other active users.
If two users have similar activity times, it may be possible that the first message of a newly-created conversation could become visible in somebody else’s chat history.
We restored the ChatGPT service and its chat history feature, except (for) a few hours of history. The bug has been patched, and as promised, we are publishing more technical details of this problem.
We conducted a further investigation, which uncovered an issue that had resulted in the payment-related information of 1.2% of ChatGPT Plus subscribers who were active during a specific nine-hour window being inadvertently exposed.
Before ChatGPT was taken offline on Monday, users could access personal information from other active users, including their first and last name, email address, payment address, the last four digits of a credit card number, and the expiration date. However, full credit card numbers were not exposed.
We believe the number of users whose data was revealed to someone else is minimal. To access this information, a ChatGPT Plus subscriber would have had to manually share their credentials with someone else or accidentally leave their account logged in and unsecured.
We apologize for the inconvenience caused on Monday, March 20, from 1 a.m. to 10 a.m. Pacific time; unfortunately, a bug resulted in some subscription confirmation emails being sent to incorrect users.
Although we have not confirmed any instances before March 20, a few subscription confirmation emails may have been mistakenly addressed, containing the last four digits of another user’s credit card number but not the full numbers.
On the morning of Monday, March 20, between 1 a.m. and 10 a.m. Pacific time, if you are a ChatGPT user, you can manage your subscription by accessing “My Account” from within the application.
During this window, a ChatGPT Plus user’s first and last name, email address, payment address, the last four digits of their credit card number, and expiration date could have been visible to other active users.
March 20 is the earliest we have confirmed any instances of this occurring. However, it’s possible that this could have happened before this date as well.
We contacted impacted users to inform them that their payment info might have been compromised. We firmly believe that there is no further risk to their data.
This week we failed to uphold OpenAI’s responsibility of protecting the privacy and safety of our users–a commitment we take very seriously. We did not meet our users’ expectations of us, nor did we protect their data and privacy. We apologize for our mistake.
We want to apologize again to our users and the ChatGPT community. We are striving to regain the trust of everyone and will do all we can to make reparation for our oversight.
The outage was a frustrating experience for the ChatGPT team and its users, but it provided an opportunity to learn and improve the platform’s performance. As we advance, the team will continue to monitor and optimize the system to ensure that ChatGPT remains a reliable and accessible resource for its users.
Source: @OpenAI