What happened
On 20 March 2023 OpenAI took ChatGPT offline. The reason, disclosed a few days later, was a bug that had let users see data that was not theirs. A change OpenAI had made to its servers triggered a fault in redis-py, the open-source Redis client library it used to cache user information, and under the right timing a request could return another user’s cached data instead of the requester’s own.
The visible symptom first reported was that some users could see the titles of other active users’ conversations in their own history, and in some cases the first message of a new conversation. The more serious finding came next. During a roughly nine-hour window before ChatGPT was taken down, about 1.2 percent of ChatGPT Plus subscribers who were active in that period may have had payment-related information exposed to another user: first and last name, email address, payment address, the card type, the last four digits of a credit card, and the card’s expiration date.
OpenAI took the service down, patched the bug, contacted affected users, and published an account of what had happened. The exposure was caused by an infrastructure caching fault, not by the model, but the effect was the same as any data breach: people’s information was shown to strangers, and a fast-growing product learned in public that scale multiplies a small bug into a lot of exposed accounts.
What an auditable version would have shown
After a cross-user exposure, the urgent question is the blast radius: exactly who could see whose data, and for how long. OpenAI was able to give an estimate, 1.2 percent of active Plus users in a nine-hour window, but an estimate is what you produce when the precise answer is hard to reconstruct. An auditable version records each access to user data as an event tied to the requesting session, so that after a fault the operator can state, rather than estimate, which accounts were exposed and to whom. That record is what turns a breach notification from a careful approximation into a definite list, which is what affected users and regulators actually need.
Where the gap was
The gap was a data-isolation failure: a caching layer returned one user’s data to another, and the system had no independent check that a response belonged to the requester it was being sent to. The exposure crossed the trust boundary between accounts. A ConductRecord that ties every data access to its session is what makes the boundary auditable and the blast radius precise after the fact. The deeper discipline is that caching and performance optimisations sit on the most sensitive path in the product, the one that returns personal and payment data, and that path needs isolation and verification proportionate to what it carries, not the speed-first defaults a cache usually ships with.
What governance should have looked like
OpenAI did the visible things right: it took the product down quickly, disclosed the cause plainly, and notified the people affected. The lesson is not about the response but about the surface. A product holding millions of people’s conversations and payment details is a high-value data store first and a novelty second, and the ordinary disciplines of one, strict isolation between accounts, a verifiable record of who accessed what, and caution on the caching paths that touch sensitive data, apply in full. The model was not the risk here. The plumbing around it was.
The reference implementation of ConductRecord and the other Headlights modules is open source. It lives at github.com/saffronandindia/headlights-oss, Apache 2.0 licensed and free to install. The repository is public now.
Sources
- March 20 ChatGPT outage: Here’s what happened (OpenAI)
- A bug revealed ChatGPT users’ chat history, personal and billing data (Help Net Security)
- ChatGPT Vulnerability May Have Exposed Users’ Payment Information (Infosecurity Magazine)