A week ago we reported on the ChatGPT outage that had users around the world frustrated, with over 1,000 reports from users logging problems opening or using the bot. The outage struck both paid and free users resulting in lost conversations and general agony.
The issue was resolved not long after, but in a post from OpenAI titled “March 20 ChatGPT outage: Here's what happened” we learned the troubling truth behind what really went on in the hours that ChatGPT went dark.
According to OpenAI, the bug allowed users to see titles from other users' chat history, which included the first message of a newly created chat, that could be seen on another person’s history if both users happened to be online at the same time.
So, if you and I were using ChatGPT at the same time, there was a chance you would have my chat details on your screen and vice versa. Spooky and a little unnerving. Users also lost some chat history which was restored once the bug was patched – with the exception of a few hours of history, likely surrounding the bug.
However, perhaps the most troubling issue that’s been reported by OpenAI is the fact that the same bug “may have caused the unintentional visibility of payment-related information of 1.2% of the ChatGPT Plus subscribers who were active during a specific nine-hour window”.
A worrying admission
OpenAI explained that in the hours before ChatGPT was taken offline, it was possible for some users to see another active user's first and last names, mail addresses, payment addresses, and the last four digits of a credit card number along with the expiration date.
OpenAI detailed that the likelihood of someone's data being revealed to another user is very low, as they would need to meet very specific criteria. This includes opening a subscription email that was sent between 1 am and 10 am Pacific Time (which was when the bug meant those emails went to the wrong users).
The second criterion to be met would have been users clicking on ‘Manage my subscription’ between 1 am and 10 am Pacific time. During this window, another active user's first and last name, email address, payment address, credit card expiry date, and the last four digits of their credit card number would have been visible.
The affected users have been contacted by OpenAI, who are confident there is "no ongoing risk to users' data". If you're concerned about your payment information being exposed, the only real course of action is to remove your payment details from your OpenAI account, or contacting your bank to check for suspicious activity if you believe your details may have been among those exposed.