90 incidents on record · 2026 Headlights Incident reports by Ellie Harris · Melbourne
10 new this week Library last updated 13 July 2026
← The incident library
HD-INC-044
Consumer AI · United States · 2023 · Data exposure & egress

A caching bug let ChatGPT users see other people's chat titles and some payment details

By Ellie Harris · Filed 20 March 2023

Alleged: OpenAI developed or deployed the AI system implicated in this incident. Details are drawn from public reports; parties are presumed innocent of any wrongdoing not established by an official finding.

A caching bug let ChatGPT users see other people's chat titles and some payment details

What happened

On 20 March 2023 OpenAI took ChatGPT offline. The reason, disclosed a few days later, was a bug that had let users see data that was not theirs. A change OpenAI had made to its servers triggered a fault in redis-py, the open-source Redis client library it used to cache user information, and under the right timing a request could return another user’s cached data instead of the requester’s own.

The visible symptom first reported was that some users could see the titles of other active users’ conversations in their own history, and in some cases the first message of a new conversation. The more serious finding came next. During a roughly nine-hour window before ChatGPT was taken down, about 1.2 percent of ChatGPT Plus subscribers who were active in that period may have had payment-related information exposed to another user: first and last name, email address, payment address, the card type, the last four digits of a credit card, and the card’s expiration date.

OpenAI took the service down, patched the bug, contacted affected users, and published an account of what had happened. The exposure was caused by an infrastructure caching fault, not by the model, but the effect was the same as any data breach: people’s information was shown to strangers, and a fast-growing product learned in public that scale multiplies a small bug into a lot of exposed accounts.

What an auditable version would have shown

After a cross-user exposure, the urgent question is the blast radius: exactly who could see whose data, and for how long. OpenAI was able to give an estimate, 1.2 percent of active Plus users in a nine-hour window, but an estimate is what you produce when the precise answer is hard to reconstruct. An auditable version records each access to user data as an event tied to the requesting session, so that after a fault the operator can state, rather than estimate, which accounts were exposed and to whom. That record is what turns a breach notification from a careful approximation into a definite list, which is what affected users and regulators actually need.

Where the gap was

The gap was a data-isolation failure: a caching layer returned one user’s data to another, and the system had no independent check that a response belonged to the requester it was being sent to. The exposure crossed the trust boundary between accounts. A ConductRecord that ties every data access to its session is what makes the boundary auditable and the blast radius precise after the fact. The deeper discipline is that caching and performance optimisations sit on the most sensitive path in the product, the one that returns personal and payment data, and that path needs isolation and verification proportionate to what it carries, not the speed-first defaults a cache usually ships with.

What governance should have looked like

OpenAI did the visible things right: it took the product down quickly, disclosed the cause plainly, and notified the people affected. The lesson is not about the response but about the surface. A product holding millions of people’s conversations and payment details is a high-value data store first and a novelty second, and the ordinary disciplines of one, strict isolation between accounts, a verifiable record of who accessed what, and caution on the caching paths that touch sensitive data, apply in full. The model was not the risk here. The plumbing around it was.

The reference implementation of ConductRecord and the other Headlights modules is open source. It lives at github.com/saffronandindia/headlights-oss, Apache 2.0 licensed and free to install. The repository is public now.

Sources

The mailing list

Fresh incident reports every week. One email to match.

We add new incidents to the library regularly, and send a single short email each week with what's new. The library stays free and open; this is just how you keep up with it.

No tracking. Unsubscribe in one click.

The record

An auditable system would have produced a signed, tamper-evident record the moment this happened: what the system did, the version that did it, the basis it acted on, and the action taken, and OpenAI could have produced it on demand.

This is the record the system as deployed did not produce in a signed, auditable form.

What this teaches
Capture what happened when it happens
What the system did, the version that did it, the basis it acted on, and the action taken, recorded at the moment, not reconstructed after.
Sign it, so no one has to trust the record-keeper
A tamper-evident entry. Edit it later and the signature breaks. The record does not ask for the benefit of the doubt.
Make it verifiable by anyone
A court, a regulator, a customer's lawyer can check the record themselves, without taking the company, or us, at our word.

Headlights summarises publicly reported AI incidents. All summaries are independently written, attributed to their original sources, and intended for research and educational purposes. Allegations are identified as such until established through official findings.

Last reviewed June 2026. This report is based on the sources listed above and reflects information available at the time of review; later developments may not be captured. Where a person is described as charged with or alleged to have done something, that allegation is unproven unless a conviction or a court or regulatory finding is stated. Headlights publishes journalism and commentary, not legal advice.

Want to write back?

Direct to my inbox.

ellie@useheadlights.com →