A data breach originating from one of OpenAI’s third-party service providers has exposed the personal information of some ChatGPT Plus subscribers. The incident was caused by a bug in an open-source library and occurred within a specific nine-hour window on March 20th.

OpenAI confirmed the breach and has since patched the underlying vulnerability. The company directly notified users whose data was impacted by this event.

Details of the Exposed Information

The data exposure affected approximately 1.2 percent of ChatGPT Plus subscribers who were active during the specified time frame. For this group, some payment-related information was made visible to other users. The exposed data included the first and last name, email address, billing address, the last four digits of the credit card number, and the credit card’s expiration date. OpenAI confirmed that full credit card numbers were not exposed at any point.

In addition to payment details, the bug also allowed some users to see titles from another active user’s chat history. The content of the conversations was not visible.

Cause of the Breach and Company Response

The root cause of the incident was identified as a bug in the Redis client open-source library. A change in server configuration reportedly exacerbated the bug, leading to the data leak. Upon discovering the issue, OpenAI temporarily took ChatGPT offline to address the vulnerability.

The bug has been patched, and OpenAI has stated it has taken steps to improve its systems. The CEO of OpenAI, Sam Altman, publicly acknowledged the incident and apologized to the platform’s users.

Source: https://www.csoonline.com/article/4097480/openai-dienstleister-gehackt.html