This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

ChatGPT / OpenAI

Summary

ChatGPT suffered its first major data breach on 20 March 2023 when a bug in the Redis-py open source library exposed payment-related information and chat history titles of some users. During a nine-hour window, 1.2% of ChatGPT Plus subscribers who were active could potentially view other users' personal and payment information. OpenAI temporarily took ChatGPT offline to investigate and remediate the vulnerability.

What Happened

On 20 March 2023, OpenAI introduced a change to ChatGPT that inadvertently created a vulnerability in the Redis-py open source Redis client library. During a specific nine-hour window, some users could view the titles and first messages of conversations from another user's chat history.

For active ChatGPT Plus subscribers during the hours before ChatGPT was taken offline, it was possible for some users to see another active user's first and last name, email address, payment address, the last four digits of their credit card number, and credit card expiration date. Critically, full credit card numbers were not exposed.

Impact on Individuals

The breach affected 1.2% of ChatGPT Plus subscribers who were active during the specific nine-hour window. Exposed information included names, email addresses, payment addresses, and partial credit card details (last four digits and expiration date only).

On 21 March 2023, OpenAI temporarily took down ChatGPT to investigate the vulnerability, leaving the AI tool inaccessible for over an hour with its chat history feature offline for most of the day. The company notified affected users whose payment information may have been exposed.

Organisational Response

OpenAI investigated the vulnerability and confirmed there was no ongoing risk to users' data after remediation. The company was confident that the issue had been fully resolved and implemented measures to prevent similar incidents.

The breach highlighted the security risks associated with third-party open source libraries and the importance of thorough testing before deploying changes to production systems. Italy's privacy watchdog later cited the data breach as one reason for temporarily banning ChatGPT in that country.

Verification Source: View original statement