Artificial Intelligence & Machine Learning , Governance & Risk Management , Next-Generation Technologies & Secure Development
ChatGPT Exposed Payment Card Data of Subscribers
Outage Revealed Chat Topics, Emails and Last 4 Digits of Payment CardsOpenAI said it took its ChatGPT chatbot offline Monday after detecting a bug in an open-source library that allowed users to see snatches of conversations from another active user's chat history.
See Also: 2024 Threat Landscape: Data Loss is a People Problem
The company now says the bug, which is in software used to cache user information, may also have exposed payment-related information of 1.2% of ChatGPT Plus subscribers who were active during the early hours of Monday morning in its California headquarters' time zone.
"The bug is now patched. We were able to restore both the ChatGPT service and, later, its chat history feature, with the exception of a few hours of history," the company wrote in a Friday blog post.
OpenAI founder Sam Altman reportedly has told investors the company will earn $1 billion by 2024, including through paid subscriptions that prioritize paying customers' access to the natural language model interface.
The shutdown occurred after users reported seeing the chat histories of other users in their accounts. One user tweeted about seeing chat histories from another account including topics such as "phobia of rats" and "sexist music video clips."
OpenAI says "the bug may have exposed" the first message of a newly created conversation was visible in someone else's chat history "if both users were active around the same time."
Privacy advocates have cautioned that sharing intimate details with ChatGPT could result in that information being transferred to a third party.
The platform says users active during a nine-hour period starting at 1 a.m. Pacific Daylight Time on March 20 were most at risk of having their payment information exposed. The bug allowed users to see another active user's name, last name, email address, payment address, the last four digits of a credit card number and credit card expiration date. Users would have had to navigate to the "Manage my subscription" section of the website to see the information.
Subscription confirmation emails containing the last four digits of another user's payment card generated during that time period also were sent to the wrong users, the company says.