ChatGPT Exposes Email Address of Other Users – Open-Source Bug

There were a number of users whose email addresses were exposed accidentally by ChatGPT’s website recently. While OpenAI asserted that the cause was a bug in the Redis client open-source library.

In ChatGPT, users can browse all their query history from the sidebar of the ChatGPT window on their web browser. From this sidebar, you can browse all the past queries you have made or even use them to regenerate the responses.

However, many users reported an unusual issue on Monday morning. The reports from the users claim that they could see information about chat queries from other users listed in their query history.

There have also been several reports from ChatGPT Plus subscribers reporting that they came across other people’s email addresses on their subscription pages.

When OpenAI became aware of the incident, they acted quickly with the intent of shutting down ChatGPT to analyze the situation.

Open-Source Bug

The ChatGPT service was exposed as a result of an error in the Redis client open-source library that caused the chat queries and email addresses of other users to be exposed to other users of the platform.

An estimated 1.2% of ChatGPT Plus subscribers had their personal details exposed, which included their chat queries and email addresses. As a result, ChatGPT Plus subscriptions have been suspended, and OpenAI has removed the sidebar for chat histories.

The OpenAI team immediately contacted the Redis maintainers after identifying the issue and provided them with a patch to fix it.

Data Exposed

Several types of information have been exposed, including:

  • Subscriber name
  • Email address
  • Payment address
  • Last four digits of the credit card number
  • Credit card expiration date

OpenAI estimates that many individuals may have had their data exposed in this data breach. It is important to note that to access this information, ChatGPT Plus subscribers had to do one of the following:-

  • Check your email for a confirmation email sent between 1 am and 10 am Pacific time on Monday, March 20, which confirms your subscription.
  • On Monday, March 20, between 1 am and 10 am Pacific time, click “My account” and then “Manage my subscription.”

ChatGPT asserted that they are in the process of contacting all users whose payment information has been compromised due to this security breach.

Actions Taken

As part of OpenAI’s efforts to improve its systems, the following actions have been taken:-

  • To fix the underlying bug, OpenAI has extensively tested the fix.
  • The data returned by the Redis cache will be checked twice to ensure that the data returned matches the information retrieved by the requester.
  • Thoroughly programmatically analyzed the logs to ensure that only the appropriate users could access all messages.
  • To notify the affected users, the company has done several data sources correlations to identify them precisely.
  • A more comprehensive logging system has been implemented to identify when this occurs and confirm that it has been resolved.
  • To reduce the possibility of connection errors under extreme load, the company has improved its robustness and scaled its Redis cluster as well.

Searching to secure your APIs? – Try Free API Penetration Testing

Related Coverage:

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a Taiwanese…

5 hours ago

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals in…

6 hours ago

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215 against…

6 hours ago

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors to…

6 hours ago

New Windows Zero-Day Vulnerability Let Attackers Steal Credentials From Victim’s Machine

A security researcher discovered a vulnerability in Windows theme files in the previous year, which…

6 hours ago

SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy to…

6 hours ago