ChatGPT outage exposed subscribers’ payment information

OpenAI said that payment information of some users could have been exposed as a result of a widespread ChatGPT outage.

We believe the number of users whose data was actually revealed to someone else is extremely low and we have contacted those who might be impacted. We take this very seriously and are sharing details of our investigation and plan here. 2/2 https://t.co/JwjfbcHr3g

— OpenAI (@OpenAI) March 24, 2023

According to the company, an error in an open-source library called redis-py created a caching issue. This led some users to see other people’s personal data:

• the last four digits and expiry date of the credit card;
• the first and last names of users;
• the email address;
• the billing address.

Additionally, users could also see fragments of other people’s chat histories.

If you use #ChatGPT be careful! There’s a risk of your chats being shared to other users!
Today I was presented another user’s chat history.
I couldn’t see contents, but could see their recent chats’ titles.#security #privacy #openAI #AI pic.twitter.com/DLX3CZntao

— Jordan L Wheeler (@JordanLWheeler) March 20, 2023

The company says the leak could have affected around 1.2% of ChatGPT Plus users who launched the service on March 20, 2023 between 4:00 and 13:00 ET (9:00 to 18:00 CET).

OpenAI says there are two scenarios that led to the display of payment data. If a user navigated to the Subscription Management screen in the account settings, they could see another ChatGPT Plus subscriber’s information who was actively using the service at the time.

The company also reports that some subscription confirmation emails sent during the incident were delivered in error. This also led to the disclosure of the last four digits of the credit card number.

OpenAI said both incidents occurred before March 20. They are not sure whether such incidents have happened in the past.

OpenAI has contacted users whose payment information could have been exposed.

The leak is linked to a Redis caching issue. Under certain circumstances, a cancelled request could return corrupted data for another query. Typically, the application would raise an error in such cases.

But if another person requested information of the same type, for example to view their own account page, the library could mistakenly return the cancelled request of another user.

As a result, some people saw in their accounts information about other users; they were shown cached data intended for someone else. However, they were not sent because the request was cancelled.

This is why the issue affected only active subscribers. Data for those who had not used the service during the specified window were not cached.

The situation was worsened by a server change OpenAI rolled out on the morning of March 20 that inadvertently triggered a spike in Redis cancellation requests. This increased the likelihood of returning cached data erroneously.

The company said the issue has been fixed. Developers also said they had made changes to their own software to prevent similar incidents in the future.

Earlier, users had complained about the inaccessibility of the ChatGPT service.

In March OpenAI added support for third-party plugins for ChatGPT.

In February, OpenAI chief executive Sam Altman called the chatbot “a terrible product”.