OpenAI Admits to Data Breach and Security Concerns in ChatGPT

Kamso Oguejiofor-Abugu Kamso Oguejiofor-Abugu Writer

OpenAI, the organization behind ChatGPT, has confirmed a data breach caused by an issue in an open-source library.

After a glitch, which inadvertently allowed people to access chat data from other users and resulted in a data breach, OpenAI developers temporarily took ChatGPT down while they worked to identify the problem.

The issue originated from ChatGPT’s utilization of Redis-py, an open-source Redis client library, which was impacted by a modification introduced by OpenAI on March 20. During this modification, a bug was accidentally introduced which exposed user data.

Developers use Redis as a means of caching user information on their server, which prevents the need to consult the database for each request. The Redis-py library functions as a Python interface in this process. However, this solution ended up allowing users to access each other’s data temporarily.

Upon investigating the matter, OpenAI found that the breach exposed the titles of active users’ chat histories and the initial message of new conversations. Furthermore, the glitch revealed sensitive data, including names, email addresses, card expiration dates, payment addresses, and the last four digits of card numbers.

Although OpenAI stated that the information was exposed during a nine-hour period on March 20, it admitted that data leaks might have occurred before that date. The company has reached out to affected users and assured users that there is no ongoing threat to user data.

Around the same time, GreyNoise, a threat intelligence firm, issued a warning regarding a new ChatGPT feature that expands the chatbot’s data collection abilities via plugins.

GreyNoise discovered that the code examples offered by OpenAI for integrating plugins with the new feature included a docker image for the MinIO distributed object storage system. The docker image version in OpenAI’s example is affected by a potentially serious information disclosure vulnerability (CVE-2023-28432 to be specific).

GreyNoise has already observed attempts to exploit the vulnerability in real-world scenarios.

About the Author

About the Author

Kamso Oguejiofor is a former Content Writer at SafetyDetectives. He has over 2 years of experience writing and editing topics about cybersecurity, network security, fintech, and information security. He has also worked as a freelance writer for tech, health, beauty, fitness, and gaming publications, and he has experience in SEO writing, product descriptions/reviews, and news stories. When he’s not studying or writing, he likes to play basketball, work out, and binge watch anime and drama series.

Leave a Comment