Security27.03.2023

ChatGPT leaked payment details to wrong users

OpenAI has explained how a bug in ChatGPT’s Redis open-source client library exposed some ChatGPT Plus subscribers’ payment details to other users.

The company took ChatGPT offline last week after it became aware of a flaw that allowed some users to see the titles and first messages from other active users’ chat histories.

It patched the bug and restored ChatGPT services and chat histories shortly thereafter.

However, following further investigation, OpenAI discovered the same bug had also caused unintentional visibility of payment-related information.

It said this affected about 1.2% of the ChatGPT Plus subscribers who were active during a specific nine-hour window.

“In the hours before we took ChatGPT offline on Monday, it was possible for some users to see another active user’s first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date,” OpenAI said.

Fortunately, full credit card numbers were not exposed at any time.

OpenAI said there were two possible scenarios in which the wrong ChatGPT Plus subscriber might have seen another user’s payment details.

Firstly, they might have been sent the wrong subscription confirmation email on 20 March 2023 between 10:00 and 19:00 South African time.

“Due to the bug, some subscription confirmation emails generated during that window were sent to the wrong users,” OpenAI said.

“These emails contained the last four digits of another user’s credit card number, but full credit card numbers did not appear.

It added that it was possible a “small number” of subscription confirmation emails might have been incorrectly addressed before 20 March, but it was yet to confirm any such instances.

The second scenario in which a user’s information might have been exposed could occur if another active user opened the “Managed my subscription” in the My Account section of ChatGPT during the same time.

“During this window, another active ChatGPT Plus user’s first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date might have been visible,” OpenAI said.

“It’s possible that this also could have occurred prior to 20 March, although we have not confirmed any instances of this.”

OpenAI said it contacted affected users to notify them that their payment information might have been exposed.

It added it was confident that there was no ongoing risk to users’ data.

The company also provided in-depth technical details about the bug and how it was fixed in a blog post last week.


Now read: OpenAI’s ChatGPT gets access to the web for the first time

Show comments

Latest news

More news

Trending news

Sign up to the MyBroadband newsletter