ChatGPT was taken offline earlier this week due to a bug in an open-source library. This bug allowed certain users to see titles from another user’s chat history. Additionally, the first message of a newly-created conversation could have been visible to someone else if both users were active around the same time.
The bug has been fixed and we have restored the ChatGPT service and its chat history feature, except for a few hours of history. We have provided more technical details about the issue below.
Upon further investigation, we found that the same bug may have inadvertently exposed payment-related information of 1.2% of ChatGPT Plus subscribers who were active during a specific nine-hour period. Before taking ChatGPT offline, some users were able to see another user’s first and last name, email address, payment address, credit card type, and the last four digits of their credit card number. However, full credit card numbers were never exposed.
The number of users whose data was actually revealed to someone else is expected to be extremely low. To access this information, a ChatGPT Plus subscriber would have needed to open a subscription confirmation email sent on Monday, March 20, between 1 a.m. and 10 a.m. Pacific time. Some subscription confirmation emails sent during this period were mistakenly delivered to the wrong users, containing only the credit card type and last four digits of another user’s credit card number. We have not confirmed any instances of emails being incorrectly addressed prior to March 20.
Alternatively, during the same time window, if a ChatGPT user clicked on “My account” and then “Manage my subscription,” they might have seen another active user’s first and last name, email address, payment address, credit card type, and the last four digits of their credit card number, as well as the credit card expiration date. However, there have been no confirmed instances of this occurring before March 20.
We have contacted the affected users to inform them about the potential exposure of their payment information. We are confident that there is no ongoing risk to users’ data.
At OpenAI, the privacy and security of our users’ data are of utmost importance to us. We deeply regret falling short of that commitment and apologize to our users and the entire ChatGPT community. We will take diligent steps to regain trust.