We took ChatGPT offline earlier this week on account of a bug in an open-source library which allowed some users to see titles from one other energetic user’s chat history. It’s also possible that the primary message of a newly-created conversation was visible in another person’s chat history if each users were energetic around the identical time.

The bug is now patched. We were in a position to restore each the ChatGPT service and, later, its chat history feature, aside from just a few hours of history. As promised, we’re publishing more technical details of this problem below.

Upon deeper investigation, we also discovered that the identical bug could have caused the unintentional visibility of payment-related information of 1.2% of the ChatGPT Plus subscribers who were energetic during a selected nine-hour window. Within the hours before we took ChatGPT offline on Monday, it was possible for some users to see one other energetic user’s first and last name, email address, payment address, the last 4 digits (only) of a bank card number, and bank card expiration date. Full bank card numbers weren’t exposed at any time. 

We consider the variety of users whose data was actually revealed to another person is incredibly low. To access this information, a ChatGPT Plus subscriber would have needed to do one among the next:

• Open a subscription confirmation email sent on Monday, March 20, between 1 a.m. and 10 a.m. Pacific time. Because of the bug, some subscription confirmation emails generated during that window were sent to the flawed users. These emails contained the last 4 digits of one other user’s bank card number, but full bank card numbers didn’t appear. It’s possible that a small variety of subscription confirmation emails may need been incorrectly addressed prior to March 20, although now we have not confirmed any instances of this.
• In ChatGPT, click on “My account,” then “Manage my subscription” between 1 a.m. and 10 a.m. Pacific time on Monday, March 20. During this window, one other energetic ChatGPT Plus user’s first and last name, email address, payment address, the last 4 digits (only) of a bank card number, and bank card expiration date may need been visible. It’s possible that this also could have occurred prior to March 20, although now we have not confirmed any instances of this.

We’ve got reached out to notify affected users that their payment information could have been exposed. We’re confident that there isn’t any ongoing risk to users’ data. 

Everyone at OpenAI is committed to protecting our users’ privacy and keeping their data protected. It’s a responsibility we take incredibly seriously. Unfortunately, this week we fell in need of that commitment, and of our users’ expectations. We apologize again to our users and to all the ChatGPT community and can work diligently to rebuild trust.