OpenAI, the technology company that promotes the Internet sensation ChatGPT and GPT-4, has announced that a data breach last week, exposing the chat history of some users to other users.

Following the breach, the US-based Generative AI solutions company took ChatGPT offline on March 20, which rendered the service out of reach for lakhs of users around the world. The company also hid the chat histories of users for hours even after restoring the AI chatbot service to do a post-mortem, stop further exposure of data and take corrective measures..

What was exposed

Due to the bug, some subscription confirmation emails generated during that window were sent to the wrong users.

In the hours before the service was disrupted on Monday, it was possible for some users to see another active user’s first and last name, email address, payment address, the last four digits of a credit card number, and credit card expiration date, said the company.

Apologising to the ChatGPT user community for the breach, the company asserted that full credit card numbers were not exposed at any time. 

Also read: Using ChatGPT heavily for content creation? Be aware of consequences

“We took ChatGPT offline earlier this week due to a bug in an open-source library which allowed some users to see titles from another active user’s chat history,” the company said in a statement on Friday night on the outage.

“It’s also possible that the first message of a newly-created conversation was visible in someone else’s chat history if both users were active around the same time,” it explained.

The company asserted that the bug is now patched and that it could restore the chat service and the chat history.

It said the same bug might have caused the exposure of payment-related information of 1.2 per cent of the ChatGPT Plus (a premium service that offers GPT-4-grade responses) subscribers, who were active during a specific nine-hour window. 

“We believe the number of users whose data was actually revealed to someone else is extremely low,” it claimed.

Also read: OpenAI opens subscriptions for GPT-4 in India

“We have reached out to notify affected users that their payment information may have been exposed. We are confident that there is no ongoing risk to users’ data,” it said.

For geeks

Here are some details about technical details about the bug. The bug was discovered in the Redis client open-source library, redis-py. OpenAI said it reached out to the Redis maintainers with a patch to resolve the issue.