ChatGPT Exposed Payment Card Data of Subscribers
Artificial Intelligence & Machine Learning , Governance & Risk Management , Next-Generation Technologies & Secure Development
Outage Revealed Chat Topics, Emails and Last Four Digits of Payment Cards Prajeet Nair (@prajeetspeaks) • March 26, 2023 Image: Shutterstock
OpenAI said it took its ChatGPT chatbot offline Monday after detecting a bug in an open source library that allowed users to see snatches of conversations from another active user’s chat history.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The company now says the bug, in software used to cache user information, may also have exposed payment-related information of 1.2% of ChatGPT Plus subscribers who were active during the early hours of Monday morning of its California headquarters’ time zone.
“The bug is now patched. We were able to restore both the ChatGPT service and, later, its chat history feature, with the exception of a few hours of history,” the company wrote in a Friday blog post.
OpenAI founder Sam Altman has reportedly told investors the company will earn $1 billion by 2024 including through paid subscriptions that prioritize paying customers’ access to the natural language model interface.
The shutdown occurred after users reported seeing the chat histories of other users in their accounts. One user tweeted about seeing chat histories from another account including topics such as “phobia of rats” and “sexist music video clips.”
OpenAI says “the bug may have exposed” the first message of a newly created conversation was visible in someone else’s chat history if both users were active around the same time.”
Privacy advocates have cautioned that sharing intimate details with ChatGPT could result in that information being transferred to a third party.
The platform says users active during a nine-hour period starting at 1 a.m. Pacific Daylight Time on March 20 were most at risk of having their payment information exposed. The bug allowed users to see another active user’s name, last name, email address, payment address, the last four digits of a credit card number and credit card expiration date. Users would have had to navigate to the “Manage my subscription” section of the website to see the information.
Subscription confirmation emails containing the last four digits of another user’s payment card generated during that window also were sent to the wrong users, the company says.