OpenAI says mysterious chat histories resulted from account takeover

stopthatgirl7@kbin.social to Technology@lemmy.world – 79 points – OpenAI says mysterious chat histories resulted from account takeover
arstechnica.com

User shocked to find chats naming unpublished research papers, and other private data.

13

ChatGPT user Chase Whiteside noticed that his account history contained private conversations that were not his own. These included login credentials and details from a pharmacy employee troubleshooting an application. OpenAI investigated and believes Whiteside's account was compromised by an external group accessing a pool of identities. This underscores the lack of security features on ChatGPT like two-factor authentication. Previous incidents have shown ChatGPT can also divulge private information if included in its training data. An interesting aspect was the candid language used by the pharmacy employee to express frustration with the poor security of the application they were troubleshooting. This highlighted the risk of including private details in conversations with AI systems.

This reads like “hey chatGPT, write a fictional paragraph about how Chase Whiteside’s OpenAI account was breached to glean private pharmaceutical data from ChatGPT”

This is the best summary I could come up with:

“From what we discovered, we consider it an account take over in that it’s consistent with activity we see where someone is contributing to a ‘pool’ of identities that an external community or proxy server uses to distribute free access,” the representative wrote.

It does, however, underscore the site provides no mechanism for users such as Whiteside to protect their accounts using 2FA or track details such as IP location of current and recent logins.

Original story: ChatGPT is leaking private conversations that include login credentials and other personal details of unrelated users, screenshots submitted by an Ars reader on Monday indicated.

“I went to make a query (in this case, help coming up with clever names for colors in a palette) and when I returned to access moments later, I noticed the additional conversations,” Whiteside wrote in an email.

Other conversations leaked to Whiteside include the name of a presentation someone was working on, details of an unpublished research proposal, and a script using the PHP programming language.

As mentioned in an article from December when multiple people found that Ubiquiti's UniFi devices broadcasted private video belonging to unrelated users, these sorts of experiences are as old as the Internet is.

The original article contains 803 words, the summary contains 202 words. Saved 75%. I'm a bot and I'm open source!

Surely they would know if they kept IP addresses for all logins?