ChatGPT Account Compromise Leads to Unintended Data Exposure

On Monday morning, ChatGPT user Chase Whiteside from Brooklyn, New York discovered seven private conversations from unrelated users appearing in his account history. The leaked conversations included multiple pairs of usernames and passwords for a pharmacy prescription drug portal, candid employee complaints about software problems, store numbers, presentation names, unpublished research proposal details, and PHP programming scripts. OpenAI investigated and concluded that Whiteside's account had been compromised through unauthorized logins from Sri Lanka, explaining that the conversations were created during successful logins from that location. OpenAI stated this was consistent with account takeover activity where compromised identities are pooled for distributing free access to external communities or proxy servers. Whiteside disputed the compromise explanation, noting he used a nine-character password with mixed case and special characters that he only used for his Microsoft account. The incident highlighted that ChatGPT lacks standard security features like two-factor authentication and IP location tracking for logins. This was not the first such incident, as OpenAI had previously taken ChatGPT offline in March after a bug caused chat titles to be shown to unrelated users.