We took ChatGPT offline earlier this week because of a bug in an open-source library which allowed some customers to see titles from one other lively person’s chat historical past. It’s additionally doable that the primary message of a newly-created dialog was seen in another person’s chat historical past if each customers had been lively across the identical time.
The bug is now patched. We had been capable of restore each the ChatGPT service and, later, its chat historical past characteristic, aside from a number of hours of historical past. As promised, we’re publishing extra technical details of this downside beneath.
Upon deeper investigation, we additionally found that the identical bug might have brought about the unintentional visibility of payment-related data of 1.2% of the ChatGPT Plus subscribers who had been lively throughout a particular nine-hour window. Within the hours earlier than we took ChatGPT offline on Monday, it was doable for some customers to see one other lively person’s first and final identify, e mail tackle, fee tackle, the final 4 digits (solely) of a bank card quantity, and bank card expiration date. Full bank card numbers weren’t uncovered at any time.
We consider the variety of customers whose knowledge was really revealed to another person is extraordinarily low. To entry this data, a ChatGPT Plus subscriber would have wanted to do one of many following:
- Open a subscription affirmation e mail despatched on Monday, March 20, between 1 a.m. and 10 a.m. Pacific time. As a result of bug, some subscription affirmation emails generated throughout that window had been despatched to the incorrect customers. These emails contained the final 4 digits of one other person’s bank card quantity, however full bank card numbers didn’t seem. It’s doable {that a} small variety of subscription affirmation emails might need been incorrectly addressed previous to March 20, though we have now not confirmed any cases of this.
- In ChatGPT, click on on “My account,” then “Handle my subscription” between 1 a.m. and 10 a.m. Pacific time on Monday, March 20. Throughout this window, one other lively ChatGPT Plus person’s first and final identify, e mail tackle, fee tackle, the final 4 digits (solely) of a bank card quantity, and bank card expiration date might need been seen. It’s doable that this additionally might have occurred previous to March 20, though we have now not confirmed any cases of this.
We now have reached out to inform affected customers that their fee data might have been uncovered. We’re assured that there isn’t a ongoing danger to customers’ knowledge.
Everybody at OpenAI is dedicated to defending our customers’ privateness and retaining their knowledge protected. It’s a duty we take extremely severely. Sadly, this week we fell wanting that dedication, and of our customers’ expectations. We apologize once more to our customers and to all the ChatGPT neighborhood and can work diligently to rebuild belief.
