OpenAI’s disclosed that the ChatGPT service suffered an outage earlier this week due to a bug in an open-source library. The bug allowed some users to view titles from another active user’s chat history, and in some cases, see the first message of a newly-created conversation. As a result, OpenAI took ChatGPT offline to fix the bug.
The bug has now been patched, and the ChatGPT service has been restored along with its chat history feature, except for a few hours of history. However, upon further investigation, OpenAI discovered that the same bug may have caused payment-related information of 1.2% of ChatGPT Plus subscribers to be visible to other users. This included the last four digits of a credit card number, email address, payment address, and credit card expiration date. However, full credit card numbers were not exposed at any time.
OpenAI believes that the number of users whose data was actually revealed to someone else is extremely low. To access this information, a ChatGPT Plus subscriber would have needed to open a subscription confirmation email sent on March 20 between 1 a.m. and 10 a.m. Pacific time, or click on “My Account,” then “Manage my subscription” during that same time window.
We took ChatGPT offline Monday to fix a bug in an open source library that allowed some users to see titles from other users’ chat history. Our investigation has also found that 1.2% of ChatGPT Plus users might have had personal data revealed to another user. 1/2
— OpenAI (@OpenAI) March 24, 2023
OpenAI has reached out to notify affected users and assured them that there is no ongoing risk to their data. The company takes the privacy and data security of its users very seriously and has apologized for falling short of its commitment to protecting its users’ privacy. OpenAI will work to rebuild trust and continue to take action to improve its systems.
The bug was discovered in the Redis client open-source library, redis-py. OpenAI reached out to the Redis maintainers with a patch to resolve the issue as soon as the bug was identified. The bug appeared in the Asyncio redis-py client for Redis Cluster and has now been fixed.
OpenAI has taken several actions to improve its systems, including extensively testing the fix to the underlying bug, adding redundant checks to ensure the data returned by its Redis cache matches the requesting user, and improving logging to identify when this is happening.
The Redis open-source maintainers have been fantastic collaborators, swiftly addressing the bug and rolling out a patch. Redis, along with other open-source software, plays a crucial role in OpenAI’s research efforts, and the company is dedicated to continuing to support and contribute to the Redis community.