OpenAI has described how a problem in ChatGPT’s Redis open-source client library exposed the financial credentials of certain ChatGPT Plus members to other users.
ChatGPT was taken offline last week after the business discovered a bug that enabled certain users to read the titles and initial messages from other active users’ conversation history.
It quickly fixed the problem and restored ChatGPT services and conversation history.
Unfortunately, subsequent examination revealed that the same fault had also resulted in the accidental disclosure of payment-related information.
According to the company, this affected around 1.2% of ChatGPT Plus members who were active over a nine-hour period.
“In the hours before we took ChatGPT offline on Monday, it was possible for some users to see another active user’s first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date,” OpenAI said.
Luckily, no complete credit card numbers were ever revealed.
According to OpenAI, there are two situations in which the incorrect ChatGPT Plus subscriber might have viewed another user’s payment data.
To begin, they may have received the incorrect subscription confirmation email on March 20, 2023, between 10:00 and 19:00 South African time.
“Due to the bug, some subscription confirmation emails generated during that window were sent to the wrong users,” OpenAI said.
“These emails contained the last four digits of another user’s credit card number, but full credit card numbers did not appear.
It also stated that a “small number” of subscriber confirmation emails may have been handled wrongly prior to March 20, although it has yet to confirm any such occurrences.
The second way a user’s information might have been exposed is if another active user accessed the “Managed my subscription” link in the My Account area of ChatGPT at the same time.
“During this window, another active ChatGPT Plus user’s first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date might have been visible,” OpenAI said. “It’s possible that this also could have occurred prior to 20 March, although we have not confirmed any instances of this.”
OpenAI stated that it contacted impacted individuals to alert them that their payment information may have been compromised.
It also stated that it was sure that there was no ongoing threat to consumers’ data.
In a blog post last week, the business also offered detailed technical information on the fault and how it was repaired.
