OpenAI has described how an issue in ChatGPT’s Redis open-source client library exposed the financial credentials of certain ChatGPT Plus members to other users.
ChatGPT was taken offline last week after the company discovered a bug that allowed certain users to read the titles and first messages from the conversation history of other active users.
It quickly fixed the problem and restored ChatGPT services and conversation history.
Unfortunately, later investigation revealed that the same mistake had also led to the accidental disclosure of payment-related information.
According to the company, this affected about 1.2% of ChatGPT Plus members who were active over a nine-hour period.
“In the hours before we took ChatGPT offline on Monday, it was possible for some users to enter the first and last name, email address, payment address, last four digits (only) of a credit card number, and credit card number of another active user. to see. expiration date,” said OpenAI.
Fortunately, full credit card numbers have never been revealed.
According to OpenAI, there are two situations where the wrong ChatGPT Plus subscriber may have viewed another user’s payment details.
For starters, they may have received the wrong subscription confirmation email on March 20, 2023 between 10:00 AM and 7:00 PM South Africa time.
“Due to the bug, some subscription confirmation emails generated during that time period were sent to the wrong users,” OpenAI said.
“These emails contained the last four digits of another user’s credit card number, but the full credit card numbers did not appear.
It also stated that a “small number” of subscriber confirmation emails prior to March 20 may have been mishandled, though it has yet to confirm any such instances.
The second way a user’s information could have been exposed is if another active user accessed the “Managed My Subscription” link in the My Account section of ChatGPT at the same time.
“During this window, the first and last name, email address, payment address, last four digits (only) of a credit card number, and credit card expiration date may have been visible,” OpenAI said. “It is possible that this also occurred before March 20, although we have not confirmed any instances of this.”
OpenAI stated that it contacted affected individuals to warn them that their payment details may have been compromised.
It also stated that it was certain there was no ongoing threat to consumers’ data.
In a blog post last week, the company also provided detailed technical information about the outage and how it was repaired.
