1.2% of ChatGPT Plus subscribers active during a 9-hour window were vulnerable to having their credit card info leaked
Only 1.2% of the ChatGPT Plus subscribers active during a nine-hour window had this payment information revealed. Open AI writes, “We believe the number of users whose data was actually revealed to someone else is extremely low.” To access the aforementioned personal data, someone would have had to open a subscription confirmation email sent on Monday, March 20, between 1 a.m. and 10 a.m. Pacific time.
A small number of ChatGPT Plus subscribers had their payment information leaked last week
ChatGPT Plus is a premium service that costs $20 per month promising access to the Chatbot even during peak times. It also delivers faster results and priority access to improvements and new features.
Because of a bug, some of these emails went to the wrong subscribers and contained the last four digits of another user’s credit card number. A small number of such emails might have gone out before March 20th but this has yet to be confirmed by the company.
Those impacted by the bug have been notified and the flaw has been patched
Another way to obtain someone else’s payment information was to click on “My Account,” and then “Manage my subscription” on ChatGPT between 1 am and 10 am Pacific time on Monday, March 20. While in this window, another user’s first and last name, email address, payment address, the last four digits of a credit card number, and the credit card expiration date could have been viewed. This also might have been available before March 20th although OpenAI has been unable to confirm this.
The company adds that “Everyone at OpenAI is committed to protecting our users’ privacy and keeping their data safe. It’s a responsibility we take incredibly seriously. Unfortunately, this week we fell short of that commitment, and of our users’ expectations. We apologize again to our users and to the entire ChatGPT community and will work diligently to rebuild trust.”
In the blog post, OpenAI says that it has taken the following actions to improve the platform:
- Extensively tested our fix to the underlying bug.
- Added redundant checks to ensure the data returned by our Redis cache matches the requesting user.
- Programatically examined our logs to make sure that all messages are only available to the correct user.
- Correlated several data sources to precisely identify the affected users so that we can notify them.
- Improved logging to identify when this is happening and fully confirm it has stopped.
- Improved the robustness and scale of our Redis cluster to reduce the likelihood of connection errors at extreme load.
