Why Privacy Fears Took ChatGPT Offline This Week
OpenAI's ChatGPT witnessed an odd bug scenario earlier this week that allowed users to see another person's conversation history with the chatty AI. Multiple users shared screenshots detailing the weird experience on social media, raising concerns about a privacy breach. Folks that are using its advanced assistance trick for business purposes like coding a project or helping with sensitive text drafts flagged risks of tangible financial loss. Company CEO Sam Altman quickly assured that the "significant" error was fixed following a brief service downtime, but something more worrying happened in the background.
We took ChatGPT offline Monday to fix a bug in an open source library that allowed some users to see titles from other users' chat history. Our investigation has also found that 1.2% of ChatGPT Plus users might have had personal data revealed to another user. 1/2
— OpenAI (@OpenAI) March 24, 2023
The company now says that aside from letting a small subset of users take a peek at each other's chat history, the aforementioned bug "may have caused the unintentional visibility of payment-related information of 1.2% of the ChatGPT Plus subscribers." However, the financial details were only visible to the affected users in a fixed window lasting nine hours on Monday. The bug has been fixed and the company also intends to notify the affected users, but given the popularity of ChatGPT and its user base, this one is definitely scary.
A sign of early trouble in the AI age
In addition to showing the first and last name of a stranger using ChatGPT, the bug also exposed other crucial details such as the last four digits of a credit card number and its expiration date, linked email address, and the payment inbox. In the hands of a skilled bad actor, that's enough information to do some serious damage. OpenAI, on the other hand, assures that the number of users whose financial details were left exposed due to the bug was "extremely low." Delving into the technical side of things, the company says there were two pathways in which the bug did its job.
First, subscription confirmation emails sent during a specific time frame on Monday were sent to the wrong user, complete with the banking details attached like a typical online purchase. OpenAI suspects a small number of emails may have been tethered incorrectly to the wrong accounts. The second way that sensitive information was visible between 1 a.m. and 10 a.m. (PT) was if the affected users opened their subscription dashboard. The company says some weird bug activity may also have happened before March 20, but the same is yet to be confirmed.