This created a small probability for each connection to return bad data. Pacific time on Monday, March 20, we inadvertently introduced a change to our server that caused a spike in Redis request cancellations.
When using Asyncio, requests and responses with redis-py behave as two queues: the caller pushes a request onto the incoming queue, and will pop a response from the outgoing queue, and then return the connection to the pool.The library maintains a shared pool of connections between the server and the cluster, and recycles a connection to be used for another request once done.We use the redis-py library to interface with Redis from our Python server, which runs with Asyncio.We use Redis Cluster to distribute this load over multiple Redis instances.We use Redis to cache user information in our server so we don’t need to check our database for every request.
SECURITY BREACH PATCH
As soon as we identified the bug, we reached out to the Redis maintainers with a patch to resolve the issue. The bug was discovered in the Redis client open-source library, redis-py. We apologize again to our users and to the entire ChatGPT community and will work diligently to rebuild trust. Unfortunately, this week we fell short of that commitment, and of our users’ expectations. It’s a responsibility we take incredibly seriously. We are confident that there is no ongoing risk to users’ data.Įveryone at OpenAI is committed to protecting our users’ privacy and keeping their data safe. We have reached out to notify affected users that their payment information may have been exposed. It’s possible that this also could have occurred prior to March 20, although we have not confirmed any instances of this.
SECURITY BREACH PLUS
During this window, another active ChatGPT Plus user’s first and last name, email address, payment address, the credit card type and last four digits (only) of a credit card number, and credit card expiration date might have been visible.
SECURITY BREACH FULL
These emails contained the credit card type and last four digits of another user’s credit card number, but full credit card numbers did not appear. Due to the bug, some subscription confirmation emails generated during that window were sent to the wrong users. Open a subscription confirmation email sent on Monday, March 20, between 1 a.m.To access this information, a ChatGPT Plus subscriber would have needed to do one of the following: We believe the number of users whose data was actually revealed to someone else is extremely low. Full credit card numbers were not exposed at any time.
SECURITY BREACH OFFLINE
In the hours before we took ChatGPT offline on Monday, it was possible for some users to see another active user’s first and last name, email address, payment address, credit card type and the last four digits (only) of a credit card number, and credit card expiration date. Upon deeper investigation, we also discovered that the same bug may have caused the unintentional visibility of payment-related information of 1.2% of the ChatGPT Plus subscribers who were active during a specific nine-hour window. As promised, we’re publishing more technical details of this problem below. We were able to restore both the ChatGPT service and, later, its chat history feature, with the exception of a few hours of history. It’s also possible that the first message of a newly-created conversation was visible in someone else’s chat history if both users were active around the same time. We took ChatGPT offline earlier this week due to a bug in an open-source library which allowed some users to see titles from another active user’s chat history.
0 kommentar(er)
