We took ChatGPT offline earlier this week as a consequence of a bug in an open-source library which allowed some customers to see titles from one other lively consumer’s chat historical past. It’s additionally potential that the primary message of a newly-created dialog was seen in another person’s chat historical past if each customers have been lively across the similar time.
The bug is now patched. We have been in a position to restore each the ChatGPT service and, later, its chat historical past characteristic, except just a few hours of historical past. As promised, we’re publishing extra technical details of this downside under.
Upon deeper investigation, we additionally found that the identical bug might have triggered the unintentional visibility of payment-related info of 1.2% of the ChatGPT Plus subscribers who have been lively throughout a particular nine-hour window. Within the hours earlier than we took ChatGPT offline on Monday, it was potential for some customers to see one other lively consumer’s first and final identify, e-mail deal with, cost deal with, bank card sort and the final 4 digits (solely) of a bank card quantity, and bank card expiration date. Full bank card numbers weren’t uncovered at any time.
We consider the variety of customers whose information was really revealed to another person is extraordinarily low. To entry this info, a ChatGPT Plus subscriber would have wanted to do one of many following:
- Open a subscription affirmation e-mail despatched on Monday, March 20, between 1 a.m. and 10 a.m. Pacific time. As a result of bug, some subscription affirmation emails generated throughout that window have been despatched to the unsuitable customers. These emails contained the bank card sort and final 4 digits of one other consumer’s bank card quantity, however full bank card numbers didn’t seem. It’s potential {that a} small variety of subscription affirmation emails might need been incorrectly addressed previous to March 20, though we now have not confirmed any situations of this.
- In ChatGPT, click on on “My account,” then “Handle my subscription” between 1 a.m. and 10 a.m. Pacific time on Monday, March 20. Throughout this window, one other lively ChatGPT Plus consumer’s first and final identify, e-mail deal with, cost deal with, the bank card sort and final 4 digits (solely) of a bank card quantity, and bank card expiration date might need been seen. It’s potential that this additionally may have occurred previous to March 20, though we now have not confirmed any situations of this.
We have now reached out to inform affected customers that their cost info might have been uncovered. We’re assured that there is no such thing as a ongoing danger to customers’ information.
Everybody at OpenAI is dedicated to defending our customers’ privateness and maintaining their information protected. It’s a duty we take extremely critically. Sadly, this week we fell in need of that dedication, and of our customers’ expectations. We apologize once more to our customers and to your complete ChatGPT group and can work diligently to rebuild belief.
