People who signed up for the $20-a-month ChatGPT Plus subscription might be AI enthusiasts wanting early access to new features or just folks who got tired of waiting for the platform during peak hours.
Now, some of those users may have each other’s private financial information.
A bug earlier this week allowed ChatGPT users to see titles from each other’s chat history and — the company later disclosed — leaked the personal payment information of a small percentage of premium subscribers.
According to a Friday blog post by San Francisco-based OpenAI, from 1 a.m. to 10 a.m. PT on Monday, ChatGPT Plus users who received a subscription confirmation email or managed their subscription online might have been given a trove of another active user’s personal information: First and last name, email address, payment address, the last four digits of a credit card number and the credit card’s expiration date.
OpenAI blamed the bug on a server change that accidentally overloaded its data cache library partner, Redis, with a spike of request cancellations. The spike corrupted the library’s “connections,” which bring together user requests with server responses.
“This created a small probability for each connection to return bad data,” OpenAI wrote in the post. In most cases, users would have to redo their request. In some, another user’s information came through instead.
“We feel awful about this,” CEO Sam Altman said in a Wednesday tweet.
The company first noticed the bug because of the conversation title leaks, and quickly took ChatGPT offline to patch the problem. OpenAI, in its blog post, explained that it is possible “the first message of a newly-created conversation was visible in someone else’s chat history if both users were active around the same time.”
OpenAI estimated that 1.2% of the ChatGPT Plus subscribers active during the nine-hour window may have had their payment information exposed. As of February, ChatGPT’s free basic offerings reached 100 million users; the company has yet to make public how many $20-a-month premium users they have.
The firm downplayed the issue, saying full credit card numbers were never shown and subscribers would have had to open a subscription confirmation email sent between 1 and 10 a.m. or click “Manage my subscription” to see another user’s data.
OpenAI wrote that the firm fell short of its commitment to protect users’ privacy and said it “will work diligently to rebuild trust.” The firm declined SFGATE’s request for comment.
“We have reached out to notify affected users that their payment information may have been exposed,” the company said in the post. “We are confident that there is no ongoing risk to users’ data.”
Hear of anything happening at OpenAI or another tech company? Contact tech reporter Stephen Council securely at [email protected] or on Signal at 628-204-5452.
BEST OF SFGATE
