OpenAI says a bug leaked sensitive ChatGPT user data

OpenAI was forced to take its wildly-popular ChatGPT bot offline for emergency maintenance on Tuesday after a user was able to exploit a bug in the system to recall the titles from other users’ chat histories. On Friday the company announced its initial findings from the incident.

In Tuesday’s incident, users posted screenshots on Reddit that their ChatGPT sidebars featured previous chat histories from other users. Only the title of the conversation, not the text itself, were visible. OpenAI, in response, took the bot offline for nearly 10 hours to investigate. The results of that investigation revealed a deeper security issue: the chat history bug may have also potentially revealed personal data from 1.2 percent of ChatGPT Plus subscribers (a $20/month enhanced access package). 

“In the hours before we took ChatGPT offline on Monday, it was possible for some users to see another active user’s first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date. Full credit card numbers were not exposed at any time,” the OpenAI team wrote Friday. The issue has since been patched for the faulty library which OpenAI identified as the Redis client open-source library, redis-py.

The company has downplayed the likelihood of such a breach occurring, arguing that either of the following criteria would have to be met to place a user at risk:

– Open a subscription confirmation email sent on Monday, March 20, between 1 a.m. and 10 a.m. Pacific time. Due to the bug, some subscription confirmation emails generated during that window were sent to the wrong users. These emails contained the last four digits of another user’s credit card number, but full credit card numbers did not appear. It’s possible that a small number of subscription confirmation emails might have been incorrectly addressed prior to March 20, although we have not confirmed any instances of this.

– In ChatGPT, click on “My account,” then “Manage my subscription” between 1 a.m. and 10 a.m. Pacific time on Monday, March 20. During this window, another active ChatGPT Plus user’s first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date might have been visible. It’s possible that this also could have occurred prior to March 20, although we have not confirmed any instances of this. 

The company has taken additional steps to prevent this from happening again in the future including adding redundant checks to library calls, “programatically examined our logs to make sure that all messages are only available to the correct user,” and “improved logging to identify when this is happening and fully confirm it has stopped.” The company says that it has also reached out to alert affected users of the issue.

This news follows a costly public faux pas committed by Google’s rival Bard AI in February when it incorrectly assured Twitter that the JWST was the first telescope to image an exoplanet, as well as revelations that CNET had surreptitiously used generative AI to write financial explainer posts (a week before laying off a sizable chunk of its editorial department). Whether OpenAI will suffer the same market-based repercussions as its competitors remains to be seen. 

Read More
Andrew Tarantola

Latest

Argentina vs England: Ex-Super Eagles captain faults Tuchel in semifinal ‘heartbreak’

Soccer Former Super Eagles captain Sunday Oliseh has blamed...

Bundesliga: Bayer 04 Leverkusen attacker eyes Super Eagles return after injury lay-off

Soccer Victor Boniface, Edmond Tapsoba, florian wirtz, Nathan Tella...

World Cup 2026: Messi’s masterclass vs England not enough to beat Okocha’s legendary mark

Soccer Lionel Messi produced another unforgettable World Cup performance...

Newsletter

Don't miss

Grey Business processes $61 million as stablecoins dominate payments

Grey Business enables startups and SMEs to open US Dollar (USD) corporate accounts, send and receive international payments, convert currencies, and transact using stablecoins such as USDC and USDT...

Utah Marketers to Host Free Business Networking Event in Layton on June 24

The custom web design company is hosting free monthly networking events for Northern Utah business leaders, with the next event scheduled for June 24 from 4 to 6 p.m. Utah Marketers is hosting a free local business networking event on June 24 from 4 to 6 p.m. at the company’s Layton office. The event is

WellnessVibe Announces Business DNA Workshop in Delhi and Mumbai, where Ancient Sound Wisdom Meets Modern Business Strategy

WellnessVibe has officially announced the launch of its transformative Business DNA Workshop on 7th June 2026 in Delhi and 20th June 2026 in Mumbai. (1888PressRelease) June 03, 2026 - Delhi/Mumbai, India - WellnessVibe has officially announced the launch of its transformative Business DNA Workshop on 7th June 2026 in Delhi and 20th June 2026 in