OpenAI, the creator of ChatGPT, has admitted that some users’ payment information may have been exposed earlier this week when it took ChatGPT offline owing to a bug.
According to the company, the Microsoft-owned company took ChatGPT offline due to a bug in an open-source library which allowed some users to see titles from another active user’s chat history.
“It was also possible that the first message of a newly-created conversation was visible in someone else’s chat history if both users were active around the same time,” said the company.
The bug has been patched and ChatGPT service and its chat history feature, with the exception of a few hours of history, have been restored.
However, upon deeper investigation, OpenAI discovered that the same bug may have caused the unintentional visibility of “payment-related information of 1.2 per cent of the ChatGPT Plus subscribers who were active during a specific nine-hour window”.
“In the hours before we took ChatGPT offline, it was possible for some users to see another active user’s first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date. Full credit card numbers were not exposed at any time,” the company revealed.
Due to the bug, some subscription confirmation emails generated during that window were sent to the wrong users.
These emails contained the last four digits of another users’ credit card number, but full credit card numbers did not appear.
“It’s possible that a small number of subscription confirmation emails might have been incorrectly addressed prior to March 20, although we have not confirmed any instances of this,” OpenAI further said.
The company said it has reached out to notify affected users that their payment information may have been exposed.
“We are confident that there is no ongoing risk to users’ data,” it added, apologising again to users and to the entire ChatGPT community.
The bug was discovered in the Redis client open-source library called “redis-py”.