When it took ChatGPT offline earlier this week because of an error, OpenAI, the business that developed it, acknowledged that certain customers’ credit card information might have been made public.
As reported by the firm, a fault in an open-source library enabled some users to view titles from some other active user’s conversation log, which led to the Microsoft-owned company taking ChatGPT offline.
“It was also possible that the first message of a newly-created conversation was visible in someone else’s chat history if both users were active around the same time,” said the company.
With the exception of a couple of hours of history, the issue has been fixed, allowing the ChatGPT service and its conversation history function to be once again used.
However, upon deeper investigation, OpenAI discovered that the same bug may have caused the unintentional visibility of “payment-related information of 1.2 percent of the ChatGPT Plus subscribers who were active during a specific nine-hour window”.
“In the hours before we took ChatGPT offline, it was possible for some users to see another active user’s first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date. Full credit card numbers were not exposed at any time,” the company revealed.
Some of the membership confirmation emails produced throughout that time frame were distributed to the incorrect individuals as a consequence of the issue.
The whole number of the credit card wasn’t present within those emails, but they did contain the final 4 digits of some other user’s credit card.
“It’s possible that a small number of subscription confirmation emails might have been incorrectly addressed prior to March 20, although we have not confirmed any instances of this,” OpenAI further said.
The firm stated that it had informed the impacted individuals to let them learn that their payment details might have been compromised.
“We are confident that there is no ongoing risk to users’ data,” it added, apologizing again to users and the entire ChatGPT community.
The open-source Redis client library “redis-py” was the location where the flaw was found.
The bug, which only impacted a very particular version of Redis, has already been resolved, according to OpenAI, and the team members have been “fantastic collaborators.” It also claims to be modifying its own software and processes to make sure that something comparable doesn’t occur once more.
Modifications include trying to add “redundant checks” to make sure the information being delivered did belong to the user who submitted the request and reducing the probability that its Redis cluster will encounter errors while being under heavy load.
