Artificial Intelligence & Machine Learning , Governance & Risk Management , Next-Generation Technologies & Secure Development

ChatGPT Exposed Payment Card Data of Subscribers

Outage Revealed Chat Topics, Emails and Last 4 Digits of Payment Cards
ChatGPT Exposed Payment Card Data of Subscribers
Image: Shutterstock

OpenAI said it took its ChatGPT chatbot offline Monday after detecting a bug in an open-source library that allowed users to see snatches of conversations from another active user's chat history.

See Also: Close the Gapz in Your Security Strategy

The company now says the bug, which is in software used to cache user information, may also have exposed payment-related information of 1.2% of ChatGPT Plus subscribers who were active during the early hours of Monday morning in its California headquarters' time zone.

"The bug is now patched. We were able to restore both the ChatGPT service and, later, its chat history feature, with the exception of a few hours of history," the company wrote in a Friday blog post.

OpenAI founder Sam Altman reportedly has told investors the company will earn $1 billion by 2024, including through paid subscriptions that prioritize paying customers' access to the natural language model interface.

The shutdown occurred after users reported seeing the chat histories of other users in their accounts. One user tweeted about seeing chat histories from another account including topics such as "phobia of rats" and "sexist music video clips."

OpenAI says "the bug may have exposed" the first message of a newly created conversation was visible in someone else's chat history "if both users were active around the same time."

Privacy advocates have cautioned that sharing intimate details with ChatGPT could result in that information being transferred to a third party.

The platform says users active during a nine-hour period starting at 1 a.m. Pacific Daylight Time on March 20 were most at risk of having their payment information exposed. The bug allowed users to see another active user's name, last name, email address, payment address, the last four digits of a credit card number and credit card expiration date. Users would have had to navigate to the "Manage my subscription" section of the website to see the information.

Subscription confirmation emails containing the last four digits of another user's payment card generated during that time period also were sent to the wrong users, the company says.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.