A bug in ChatGPT led to the disclosure of payment information of users

OpenAI reported that the payment information of some users could be disclosed as a result of a large-scale failure of ChatGPT.

We believe the number of users whose data was actually revealed to someone else is extremely low and we have contacted those who might be impacted. We take this very seriously and are sharing the details of our investigation and plan here. 2/2 https://t.co/JwjfbcHr3g

— OpenAI (@OpenAI) March 24, 2023

According to the company, a bug in an open source library called redis-py has created a caching issue. This resulted in some users being able to see other people’s personal data:

• the last four digits and the expiration date of the credit card;
• first and last name of users;
• email;
• billing address.

In addition, users could also see fragments of other people’s chat stories.

if you use #ChatGPT be careful! There’s a risk of your chats being shared to other users!
Today I was presented another user’s chat history.
I couldn’t see the contents, but could see their recent chats’ titles.#security #privacy #openAI #AI pic.twitter.com/DLX3CZntao

— Jordan L Wheeler (@JordanLWheeler) March 20, 2023

The company claims that the payment information leak may have affected about 1.2% of ChatGPT Plus users who launched the service on March 20, 2023 from 4:00 to 13:00 ET (9:00 to 18:00 CET) .

According to OpenAI, there are two scenarios that led to the display of payment data. If a person went to the “Manage Subscription” screen in their account settings, they could see the information of another ChatGPT Plus subscriber who was actively using the service at the time.

The company also reports that some subscription confirmation emails sent during the incident were delivered in error. It also exposed the last four digits of the credit card number.

OpenAI suggested that both incidents occurred before March 20. At the same time, the company is not sure that this has happened in the past.

OpenAI has contacted users whose payment information may have been disclosed.

The leak is associated with the problem of caching information about users in Redis. Under certain circumstances, a canceled request may result in corrupted data being returned for another request. Usually in such cases, the application gives an error.

But if another person requested the same type of information, such as wanting to view their account page, the library could mistakenly return the other user’s canceled request to them.

Therefore, some people saw information about other users in their account. They were shown cache data that was intended for someone else. However, they were not sent due to the cancellation of the request.

That is why the problem only affected active subscribers. The data of those who did not use the service during the specified period of time was not cached.

To make things worse, on the morning of March 20, OpenAI made a change to the server that accidentally caused a spike in canceled Redis requests. This increased the likelihood of a cache being returned by mistake.

The company said that the problem has already been fixed. The developers also announced changes to their own software to prevent similar incidents in the future.

Previously, users complained about the unavailability of the ChatGPT service.