OpenAI’s ChatGPT has suffered its first major personal data breach.
The breach came during a March 20 outage and exposed payment-related and other personal information of 1.2% of the ChatGPT Plus subscribers who were active during a specific nine-hour window, according to a blog post by OpenAI Friday, March 24.
“In the hours before we took ChatGPT offline on Monday, it was possible for some users to see another active user’s first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date. Full credit card numbers were not exposed at any time,” OpenAI officials wrote today.
What’s the big message to marketers and customer experience professionals? Fascinating as the world’s most popular chatbot is — and how it can aid marketing and customer experience campaigns — this is another avenue where people feed technology with personal data. And data privacy is paramount. Look no further than US Congress’ grilling this week of TikTok’s CEO.
Open-Source Bug Led to Breach Discoveries
Why did OpenAI take ChatGPT offline in the first place? Officials said they found a bug in an open-source library, which allowed some users to see titles from another active user’s chat history. “It’s also possible that the first message of a newly created conversation was visible in someone else’s chat history if both users were active around the same time,” OpenAI officials said.
The company patched the bug and reported technical details of this problem. However, as the company patched the bug, that’s when it discovered the same bug may have caused breach of more personal data.
Number of People Exposed in Data Breach ‘Extremely Low’
How many people’s personal data got exposed? OpenAI claims the number of users whose data was actually revealed to someone else “is extremely low.” They explained why. ChatGPT Plus subscribers would have needed to do one of the following:
Open a subscription confirmation email sent on Monday, March 20, between 1 a.m. and 10 a.m. PT. Due to the bug, some subscription confirmation emails generated during that window were sent to the wrong users. These emails contained the last four digits of another user’s credit card number, but full credit card numbers did not appear. It’s possible that a small number of subscription confirmation emails might have been incorrectly addressed prior to March 20, although we have not confirmed any instances of this.
In ChatGPT, click on “My account,” then “Manage my subscription” between 1 a.m. and 10 a.m. Pacific time on Monday, March 20. During this window, another active ChatGPT Plus user’s first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date might have been visible. It’s possible that this also could have occurred prior to March 20, although we have not confirmed any instances of this. “We have reached out to notify affected users that their payment information may have been exposed. We are confident that there is no ongoing risk to users’ data,” OpenAI officials said. “Everyone at OpenAI is committed to protecting our users’ privacy and keeping their data safe. It’s a responsibility we take incredibly seriously. Unfortunately, this week we fell short of that commitment, and of our users’ expectations. We apologize again to our users and to the entire ChatGPT community and will work diligently to rebuild trust.”
