Introduction
Since bursting onto the scene in November 2022, ChatGPT has changed the game for artificial intelligence bots. Gone are the days of ELIZA and SmarterChild, with a few generic responses and the ability to “remember” your favorite hobbies. ChatGPT can get jobs at Google and invent new music. They now have more than 100M users and billions of visitors monthly.
In just six months, the program has made plenty of headlines. Some of them have highlighted the positive aspects of a robot capable of complex problem-solving, from tailoring suggestions to your preferences to helping out with customer service. Other articles lamented the ability to generate new, malicious code in mere minutes.
Now ChatGPT is in the news for another reason….their open-source library was exploited through a little-known vulnerability that exposed a lot of personal data.
The Breach on ChatGPT
Open-source code has become integral for software developers. It allows engineers to easily access and modify existing code, and thus create innovative solutions quickly and efficiently. Open-source code is also beneficial for businesses as it reduces their costs and provides access to a wide range of tools and libraries that can help them get the job done faster. Furthermore, open-source code helps foster collaboration between developers from all around the world, which in turn leads to better quality products.
For ChatGPT, though, this same open-source library is exactly what the hackers exploited. A vulnerability allowed threat actors “behind the scenes” for hours before the website shut down the website to minimize damage. It took days for the OpenAI team, who produces and manages ChatGPT, to resolve and patch the issue to get the platform up and running again.
That’s not all that the hackers did. The same incident that exploited their servers also exposed, albeit momentarily, the financial and personal information of other users as well as their chat history. In a statement, OpenAI said this about the incident:
“Upon deeper investigation, we also discovered that the same bug may have caused the unintentional visibility of payment-related information of 1.2% of the ChatGPT Plus subscribers who were active during a specific nine-hour window. In the hours before we took ChatGPT offline on Monday, it was possible for some users to see another active user’s first and last name, email address, payment address, credit card type and the last four digits (only) of a credit card number, and credit card expiration date. Full credit card numbers were not exposed at any time.“
Conclusion
Does this news change how you feel about the future of AI?
You’re not the only one with as many reservations as you have hopes. Although this particular oversight has been patched, according to OpenAI, this is a shining example of how much personal data is at stake when such a big, popular database is exposed by threat actors. Be careful what you include on your profiles, and don’t feel the need to fill out every bit of personal information about yourself that they ask. Be mindful of what data you feed artificial intelligence and how it could tie back to you.
In the meantime, stay abreast of security concerns, new threats and potential vulnerabilities in the software and websites that you use. Cybercriminals are always on the lookout for new ways to exploit, steal and/or sell your confidential data. Education and vigilance are the best defenses we have.