The creator of ChatGPT, OpenAI, has acknowledged that some users’ payment information may have been exposed earlier this week when the app was taken offline because of a bug.
The Microsoft-owned company reportedly took ChatGPT offline as a result of a bug in an open-source library that allowed some users to view titles from another active user’s chat history.
The company said that if two users were online at the same moment, “It was also possible that the first message of a newly-created conversation was visible in someone else’s chat history.”
The bug has been addressed, and the ChatGPT service and its chat history feature have been restored, with the exclusion of a few hours of history.
However, after further investigation, OpenAI revealed that the same flaw may have resulted in the unintended exposure of “payment-related information of 1.2 percent of the ChatGPT Plus subscribers who were active during a specific nine-hour window.”
“In the hours before we took ChatGPT offline, it was possible for some users to see another active user’s first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date. Full credit card numbers were not exposed at any time,” the company revealed.
Several subscription confirmation emails created within that window were forwarded to the wrong users because of an issue.
The last four digits of another user’s credit card number were included in these emails, but complete credit card information were not.
“It’s possible that a small number of subscription confirmation emails were incorrectly addressed prior to March 20, although we have not confirmed any instances of this,” OpenAI said.
The company stated that it has notified impacted users that their payment information may have been compromised.
“We are confident that there is no ongoing risk to users’ data,” it added, apologising again to users and to the entire ChatGPT community.
The bug was discovered in the open-source Redis client library “redis-lpy.”
