Jump to content

ChatGPT data leak exposes limited user chat history, ChatGPT Plus customer information

Spotty
By Spotty
in Tech News
 Share
Posted

Summary

Due to a bug introduced to OpenAI's ChatGPT on March 20th limited user chat history was exposed. The issue also exposed customer information of a small number of ChatGPT Plus subscribers, including payment details.

 

Quotes

Quote

ChatGPT creator OpenAI has confirmed a data breach caused by a bug in an open source library, just as a cybersecurity firm noticed that a recently introduced component is affected by an actively exploited vulnerability.
 

OpenAI said on Friday that it had taken the chatbot offline earlier in the week while it worked with the maintainers of the Redis data platform to patch a flaw that resulted in the exposure of user information. 

The issue was related to ChatGPT’s use of Redis-py, an open source Redis client library, and it was introduced by a change made by OpenAI on March 20. 

The bug introduced by OpenAI resulted in ChatGPT users being shown chat data belonging to others.

Quote

According to OpenAI’s investigation, the titles of active users’ chat history and the first message of a newly created conversation were exposed in the data breach. The bug also exposed payment-related information belonging to 1.2% of ChatGPT Plus subscribers, including first and last name, email address, payment address, payment card expiration date, and the last four digits of the customer’s card number. 


The reason that only 1.2% of ChatGPT Plus customers were affected is because it only affected customers who were active during a 9 hour period between 1am and 10am Pacific Time on March 20th.

Quote

Upon deeper investigation, we also discovered that the same bug may have caused the unintentional visibility of payment-related information of 1.2% of the ChatGPT Plus subscribers who were active during a specific nine-hour window. In the hours before we took ChatGPT offline on Monday, it was possible for some users to see another active user’s first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date. Full credit card numbers were not exposed at any time. 

 

 

It's too long to share here but more details about the data leak have been shared by OpenAI in their blog post here, including details about the bug that caused it: 

https://openai.com/blog/march-20-chatgpt-outage

 

 

My thoughts

It's worth noting that this was the result of a bug, not a hack. It's not part of any hack or ransom attempt. The exposed customer details were not widely exposed. It was only when a user opened a subscription verification email or went in to the "manage my subscriptions" settings during the 9 hour window that the details of another user were incorrectly displayed instead of the correct user information.

 

The bug was caused by the Redis-py library which OpenAI uses to cache user information. Due to a change made by OpenAI, Redis returned errors when attempting to retrieve requested data and as a result in some cases caused Redis to deliver the wrong customer information when requested. For more technical details see OpenAI's Blog Post

 

This issue is what caused a recent outage of ChatGPT. https://status.openai.com/incidents/jq9232rcmktd

 

Exposing the first message from a conversation a user has sent to ChatGPT isn't really a big deal, and you shouldn't be sharing any sensitive information with ChatGPT anyway. The customer information and payment details that were exposed for a small percentage of ChatGPT Plus users pose a much bigger concern, though thankfully it seems that the data exposed is limited to a very small number of accounts and that data was not widely available.

 

 

Sources

https://www.securityweek.com/chatgpt-data-breach-confirmed-as-security-firm-warns-of-vulnerable-component-exploitation/

https://openai.com/blog/march-20-chatgpt-outage

CPU: Intel i7 6700k  | Motherboard: Gigabyte Z170x Gaming 5 | RAM: 2x16GB 3000MHz Corsair Vengeance LPX | GPU: Gigabyte Aorus GTX 1080ti | PSU: Corsair RM750x (2018) | Case: BeQuiet SilentBase 800 | Cooler: Arctic Freezer 34 eSports | SSD: Samsung 970 Evo 500GB + Samsung 840 500GB + Crucial MX500 2TB | Monitor: Acer Predator XB271HU + Samsung BX2450

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
1 hour ago, Spotty said:

The exposed customer details were not widely exposed

I think it should also be noted that the payment information that was exposed as well was limited to billing address, expiration date and last 4 digits of the credit card.  While it's bad, at least it didn't allow full access to credit card information

 

Then again, this is still quite a big mistake to make having cached data transmitted to the wrong user and does make you question what forms of testing they do.

3735928559 - Beware of the dead beef

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

It's already banned in some orgs due to leakage of identifiable / proprietary data. It's situations like this that only serve to enforce that rationale.

 

Quote

Ohh, GPT is a really usefu..... *snatch pebble from hand*. Damn it!

 

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Tech News

×