ChatGPT Exposes Email Address of Other Users

There were a number of users whose email addresses were exposed accidentally by ChatGPT’s website recently. While OpenAI asserted that the cause was a bug in the Redis client open-source library.

In ChatGPT, users can browse all their query history from the sidebar of the ChatGPT window on their web browser. From this sidebar, you can browse all the past queries you have made or even use them to regenerate the responses.

However, many users reported an unusual issue on Monday morning. The reports from the users claim that they could see information about chat queries from other users listed in their query history.

There have also been several reports from ChatGPT Plus subscribers reporting that they came across other people’s email addresses on their subscription pages.

When OpenAI became aware of the incident, they acted quickly with the intent of shutting down ChatGPT to analyze the situation.

Open-Source Bug

The ChatGPT service was exposed as a result of an error in the Redis client open-source library that caused the chat queries and email addresses of other users to be exposed to other users of the platform.

An estimated 1.2% of ChatGPT Plus subscribers had their personal details exposed, which included their chat queries and email addresses. As a result, ChatGPT Plus subscriptions have been suspended, and OpenAI has removed the sidebar for chat histories.

The OpenAI team immediately contacted the Redis maintainers after identifying the issue and provided them with a patch to fix it.

Data Exposed

Several types of information have been exposed, including:

  • Subscriber name
  • Email address
  • Payment address
  • Last four digits of the credit card number
  • Credit card expiration date

OpenAI estimates that many individuals may have had their data exposed in this data breach. It is important to note that to access this information, ChatGPT Plus subscribers had to do one of the following:-

  • Check your email for a confirmation email sent between 1 am and 10 am Pacific time on Monday, March 20, which confirms your subscription.
  • On Monday, March 20, between 1 am and 10 am Pacific time, click “My account” and then “Manage my subscription.”

ChatGPT asserted that they are in the process of contacting all users whose payment information has been compromised due to this security breach.

Actions Taken

As part of OpenAI’s efforts to improve its systems, the following actions have been taken:-

  • To fix the underlying bug, OpenAI has extensively tested the fix.
  • The data returned by the Redis cache will be checked twice to ensure that the data returned matches the information retrieved by the requester.
  • Thoroughly programmatically analyzed the logs to ensure that only the appropriate users could access all messages.
  • To notify the affected users, the company has done several data sources correlations to identify them precisely.
  • A more comprehensive logging system has been implemented to identify when this occurs and confirm that it has been resolved.
  • To reduce the possibility of connection errors under extreme load, the company has improved its robustness and scaled its Redis cluster as well.

Searching to secure your APIs? – Try Free API Penetration Testing

Related Coverage: