Sensitive Information DisclosureHigh

ChatGPT Redis bug exposes chat history and payment data

March 2023  ·  OpenAI ChatGPT

What happened

A bug let some users see other users' chat titles and first messages. OpenAI also confirmed that payment-related data of about 1.2% of ChatGPT Plus subscribers in a nine-hour window may have been exposed, including names, emails, billing addresses, and the last four digits of a card.

Root cause

A bug in the redis-py client: a change spiked request cancellations, and under that condition canceled requests could return another connection's cached data.

Fix / outcome

OpenAI patched its Redis usage, contributed fixes upstream, added redundant checks, and notified affected users.

Sources

OpenAI postmortem

Learn this attack class

This incident is an example of Sensitive Information Disclosure. Read the guide, then try it hands-on in the Academy.

Read the guide →

← Back to the Incident Database