Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Breaches

ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an actively exploited vulnerability.

ChatGPT attack

ChatGPT creator OpenAI has confirmed a data breach caused by a bug in an open source library, just as a cybersecurity firm noticed that a recently introduced component is affected by an actively exploited vulnerability.

OpenAI said on Friday that it had taken the chatbot offline earlier in the week while it worked with the maintainers of the Redis data platform to patch a flaw that resulted in the exposure of user information. 

The issue was related to ChatGPT’s use of Redis-py, an open source Redis client library, and it was introduced by a change made by OpenAI on March 20. 

The chatbot’s developers use Redis to cache user information in their server, to avoid having to check the database for every request. The Redis-py library serves as a Python interface. 

The bug introduced by OpenAI resulted in ChatGPT users being shown chat data belonging to others.

According to OpenAI’s investigation, the titles of active users’ chat history and the first message of a newly created conversation were exposed in the data breach. The bug also exposed payment-related information belonging to 1.2% of ChatGPT Plus subscribers, including first and last name, email address, payment address, payment card expiration date, and the last four digits of the customer’s card number. 

This information may have been included in subscription confirmation emails sent on March 20 and it may have also been displayed in the subscription management page in ChatGPT accounts on the same day. OpenAI has confirmed that the information was exposed during a nine-hour window on March 20, but admitted that information may have been leaked prior to March 20 as well. 

“We have reached out to notify affected users that their payment information may have been exposed. We are confident that there is no ongoing risk to users’ data,” OpenAI said in a blog post. 

Advertisement. Scroll to continue reading.

The blog post describes the technical details of the issue and the action taken by the company in response.

This was not the only ChatGPT security issue that came to light last week. Also on Friday, threat intelligence company GreyNoise issued a warning regarding a new ChatGPT feature that expands the chatbot’s information collecting capabilities through the use of plugins. 

GreyNoise noticed that the code examples provided by OpenAI to customers interested in integrating their plugins with the new feature include a docker image for the MinIO distributed object storage system. 

The docker image version used in OpenAI’s example, release 2022-03-17, is affected by CVE-2023-28432, a potentially serious information disclosure vulnerability. The security hole can be leveraged to obtain secret keys and root passwords and GreyNoise has already seen attempts to exploit the vulnerability in the wild

“While we have no information suggesting that any specific actor is targeting ChatGPT example instances, we have observed this vulnerability being actively exploited in the wild. When attackers attempt mass-identification and mass-exploitation of vulnerable services, ‘everything’ is in scope, including any deployed ChatGPT plugins that utilize this outdated version of MinIO,” the security firm warned. 

Related: ChatGPT Integrated Into Cybersecurity Products as Industry Tests Its Capabilities

Related: ChatGPT and the Growing Threat of Bring Your Own AI to the SOC

Related: ‘Grim’ Criminal Abuse of ChatGPT is Coming, Europol Warns 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.