A bug in ChatGPT exposed user chat histories and payment information including names, email addresses, and partial credit card details to other users during a nine-hour window before being discovered and patched.
On March 20, 2023, OpenAI shut down ChatGPT due to a bug that exposed user chat histories and payment information to other users. The bug was caused by an issue in open-source software that OpenAI was using. During the incident, users could see titles and first messages of other active users' conversations in their sidebar instead of their own chat history. Additionally, during a nine-hour window between 1 a.m. PT and 10 a.m. PT before the bug was discovered, some users could see other users' first and last names, email addresses, payment addresses, last four digits of credit card numbers, and credit card expiration dates. OpenAI reported that payment information of 1.2 percent of ChatGPT Plus subscribers was exposed, though the likelihood that other users actually saw this information was described as low. Users would have had to open a ChatGPT Plus subscription confirmation email or navigate to the 'Manage my subscription' page to view the exposed payment information. Full credit card numbers were not exposed at any time. OpenAI patched the bug and restored ChatGPT service with user chat histories restored, and notified affected users whose payment information was exposed.
Domain classification, causal taxonomy, severity scores, and national security assessments were LLM-classified and may contain errors.
AI systems that memorize and leak sensitive personal data or infer private information about individuals without their consent. Unexpected or unauthorized sharing of data and information can compromise user expectation of privacy, assist identity theft, or cause loss of confidential intellectual property.
AI system
Due to a decision or action made by an AI system
Unintentional
Due to an unexpected outcome from pursuing a goal
Post-deployment
Occurring after the AI model has been trained and deployed