OpenAI says a bug in the open source Redis client library was behind Monday’s ChatGPT outage and data leak, where users saw other users’ personal information and chat requests .

ChatGPT displays a history of historical queries you’ve made in the sidebar, allowing you to click on one and regenerate a response from the chatbot.

On Monday morning, many ChatGPT users reported seeing other people’s chat requests listed in their history.

HackerFantastic tweet about ChatGPT data leak

As first reported by PC Magazinemultiple ChatGPT Plus subscribers also reported see other people’s email addresses on their subscription pages.

Tweet about leaked emails

Shortly after, OpenAI took ChatGPT offline to investigate an issue, but did not provide details on the cause of the outage.

Status message during ChatGPT crash
Status message during ChatGPT crash

Open source library bug behind data leak

Today OpenAi released a post-mortem report explaining that a bug in redis client open source library caused the ChatGPT service to expose other users’ chat requests and the personal information of approximately 1.2% of ChatGPT Plus subscribers.

“The bug was discovered in the open source Redis client library, redis-py. As soon as we identified the bug, we contacted Redis maintainers with a patch to address the issue,” OpenAI said in a post. published death. Today.

The information exposed includes a subscriber’s name, email address, payment address, and the last four digits of their credit card number and expiration date.

“Upon further investigation, we also found that the same bug may have caused the unintended visibility of payment-related information for 1.2% of ChatGPT Plus subscribers who were active during a specific nine-hour window,” the report says. autopsy.

“In the hours leading up to ChatGPT going offline on Monday, it was possible for some users to see first and last name, email address, payment address, last four digits (only) of ‘a credit card number and another active user’s credit card expiration date. Full credit card numbers were not exposed at any time.’

OpenAI says the number of people whose data was exposed is likely very low because it required specific actions, including:

  • Open a subscription confirmation email sent Monday, March 20 between 1 a.m. and 10 a.m. PT.
  • In ChatGPT, click “My Account” and then “Manage My Subscription” between 1:00 a.m. and 10:00 a.m. PT on Monday, March 20.

The company says it is contacting all affected ChatGPT users whose payment information has been exposed.

OpenAI CEO Sam Altman apologized for the leaks Wednesday night on Twitter.

“We had a significant issue in ChatGPT due to a bug in an open source library, for which a fix has now been released and we have just completed validation. A small percentage of users were able to view chat titles. ‘chat history of other users,” Altman shared in a tweet.

“We feel very bad about this.”


Source link