AI Decipher File · March 20, 2023 (incident window 1 a.m. to 10 a.m. PT)
OpenAI ChatGPT Redis Bug (March 2023): The Race Condition That Exposed Other Users' Conversations
The OpenAI ChatGPT March 2023 incident is the Applied AI privacy case study with a primary-source post-mortem from the lab itself. Between 1 a.m. and 10 a.m. PT on March 20, 2023, a race condition in the redis-py asynchronous client caused some ChatGPT users to see conversation titles and the first message from other active users' chat history. A subsequent investigation also found that approximately 1.2 percent of ChatGPT Plus users active during that window may have had limited payment-related information visible to other users. OpenAI took ChatGPT offline, patched the library, and published a detailed post-mortem.
Failure pattern
Open-source dependency race condition exposing cross-tenant data through a connection pool
Organizations involved
OpenAI, Redis (redis-py maintainers)
Incident summary
On March 20, 2023, OpenAI took ChatGPT offline after reports that users were seeing titles of other users' conversation history in their sidebar. OpenAI's post-mortem, published four days later under the title 'March 20 ChatGPT outage: Here's what happened,' attributed the exposure to a bug in the redis-py asynchronous client used in ChatGPT's caching layer.
The post-mortem explains that under specific conditions an asynchronous Redis request could be canceled before the response was returned to the client. The cancellation could leave a corrupted connection in the pool, so the next user receiving that connection might read data intended for another user. The exposed fields included conversation titles and the first message of new conversations.
OpenAI's follow-up investigation found that the same bug had also exposed limited payment-related information for approximately 1.2 percent of ChatGPT Plus users who were active during the nine-hour window. Exposed fields named in the post-mortem were first and last name, email address, payment address, the last four digits of a credit card number, and the credit card expiration date. Full credit card numbers were not exposed.
Failure technique
The root cause was a race condition in an open-source dependency, not a flaw unique to OpenAI's code. The redis-py library is widely used across the Python community. The bug was triggered by asynchronous request cancellation interacting with the connection pool. OpenAI's reproduction steps were shared with the redis-py maintainers and the upstream patch shipped.
From a system-design angle, the incident illustrates how cross-tenant isolation can be undermined by infrastructure choices that look local. A connection pool that may return a partially-read connection to a different user is a tenant-isolation surface even though developers usually treat it as plumbing. AI infrastructure roles need to enumerate every such surface before launching a multi-tenant system.
The failure also surfaced a privacy-engineering question that AI engineering teams continue to face. The redis-py bug existed before ChatGPT was built. The exposure became significant because ChatGPT routed user conversation state through that infrastructure at scale. Any production AI feature that handles user content inherits the privacy posture of every layer below it.
Impact and consequences
The direct technical impact was bounded by OpenAI's response: the system was taken offline within hours, the bug was reproduced and patched, and the post-mortem was published within four days. Users affected by payment-information exposure were notified individually per OpenAI's commitment.
The regulatory consequence was significant. On March 30, 2023, the Italian Data Protection Authority (Garante per la protezione dei dati personali) issued a provisional order limiting OpenAI's processing of Italian users' data, citing the incident and broader concerns about lawful basis under the GDPR. OpenAI responded by adding additional disclosures and an age-verification step. The Italian order remains the canonical regulator response to this incident.
Industry-wide, the incident sharpened enterprise scrutiny of consumer AI tools handling proprietary data. The Samsung internal restriction announced weeks later (see /decipher-files/samsung-chatgpt-data-leak) is one of several enterprise responses traceable in the public record.
Lessons for builders
Treat every infrastructure dependency as a tenant-isolation surface, not just the components labeled multi-tenant. Connection pools, caches, load balancers, and async runtimes can all leak across users under failure conditions that the dependency authors did not test.
Maintain a written tenant-isolation threat model for the production AI surface. Enumerate every component that might serve data from one user to another. Define the verification step for each. The redis-py issue would have been visible to a model that asked the question explicitly.
Run cross-tenant differential testing in the regression suite. The simplest version is a test that opens two sessions with distinct content and asserts that neither session can see the other's data. Variants of the test should target the connection pool, the cache layer, and the request middleware.
Stage a public, technically credible post-mortem for any incident with privacy impact. OpenAI's same-week publication is one reason the case is still useful to the field. Reaching the same bar means standing up the documentation pipeline before an incident, not during one.
Mitigations
What builders should put in place to address the failure pattern. Each mitigation maps to operational practice the relevant Applied AI roles own.
- ›Maintain a written tenant-isolation threat model and review it whenever a new dependency joins the production AI runtime. Connection pools, caches, and async runtimes are all in scope.
- ›Add cross-tenant differential tests to the regression suite. The simplest version compares two distinct sessions and asserts no cross-contamination at the cache, queue, or session-context layer.
- ›Subscribe to security feeds for every production dependency and the language runtime itself. The redis-py issue was patched upstream; teams that tracked the project would have shipped the fix faster.
- ›Stage an incident-response playbook that includes a public, primary-source post-mortem within a defined SLA. The capability needs to exist before the incident, not be improvised during one.
- ›Notify users of payment-related exposure individually with specifics. OpenAI's individual notification approach is the working reference for AI privacy incidents involving billing data.
- ›Document tenant-isolation guarantees in the user-visible privacy policy and the enterprise customer agreement so users have the basis to make an informed risk decision.
Related Applied AI roles
The Applied AI roles whose day-to-day work would have prevented, detected, or contained this incident.
- AI Engineer: An AI Engineer builds production cybersecurity-relevant AI systems integrating LLMs, embeddings, and retrieval pipelines.
- AI Platform Engineer: An AI Platform Engineer builds internal platforms enabling AI development at scale across an organization.
- AI Infrastructure Engineer: An AI Infrastructure Engineer manages cloud and compute infrastructure for AI workloads at scale.
- AI Reliability Engineer: An AI Reliability Engineer ensures production AI systems meet service-level objectives across uptime, latency, and quality.
Cybersecurity Decipher File parallel
Cross-vertical bridge
This Applied AI failure pattern parallels the cybersecurity Decipher File on Okta Support Breach 2023: 1Password, Cloudflare, BeyondTrust Timeline. Both incidents exploited a trust posture rather than a technical flaw. Reading them together clarifies how Applied AI failure modes map onto patterns cybersecurity practitioners already recognize.
Related AI Decipher Files
Frequently asked questions
What caused the OpenAI ChatGPT March 2023 incident?
A race condition in the redis-py asynchronous client allowed a corrupted connection to be returned to the connection pool after an asynchronous request was canceled. The next user assigned that connection could read data intended for another user. OpenAI's official post-mortem on March 24, 2023 attributed the exposure to this bug and confirmed the upstream fix.
How many users were affected by the ChatGPT data leak?
Conversation-title exposure affected an unspecified but bounded number of users active during the nine-hour window on March 20, 2023. A separate investigation determined that approximately 1.2 percent of ChatGPT Plus users active during that window may have had limited payment-related information visible to other users. Full credit card numbers were not exposed.
Did regulators take action against OpenAI after the incident?
Yes. On March 30, 2023, the Italian Data Protection Authority issued a provisional order limiting OpenAI's processing of Italian users' data, citing the incident and broader GDPR concerns. OpenAI added new disclosures and an age-verification step in response. The order remains the canonical regulator response to the incident in the public record.
Was the bug specific to OpenAI's code?
No. The race condition was in the redis-py asynchronous client, an open-source library used widely across the Python community. OpenAI reproduced the issue, worked with the redis-py maintainers, and the fix shipped upstream. Other systems using the same library and pattern could have been affected.
Which Applied AI roles work on preventing this class of incident?
AI Platform Engineer owns the tenant-isolation properties of the AI runtime. AI Infrastructure Engineer monitors and patches dependency vulnerabilities. AI Reliability Engineer owns the regression suite that catches cross-tenant leakage. AI Engineer maintains the application-layer code that consumes the infrastructure responsibly.
Sources
- OpenAI: 'March 20 ChatGPT outage: Here's what happened' (OpenAI official engineering post-mortem, 24 March 2023)
- redis-py issue tracker on GitHub (the upstream open-source library where the race condition was patched)
- Italian Data Protection Authority (Garante per la protezione dei dati personali) provisional order on OpenAI ChatGPT (30 March 2023)
- GDPR Article 33: Notification of a personal data breach to the supervisory authority (regulatory framework cited by Garante)
DecipherU is not affiliated with, endorsed by, or sponsored by any company listed in this directory. Information compiled from publicly available sources for educational purposes.
Where to go next
Three next steps depending on where you are. The first two are free.
Free · 2 minutes
Start with the AI Risk Score
Two minutes. Tells you how exposed your current role is to AI automation and which defensive moves carry the best return.
Start the AI Risk Score →Paid program · $147-$597
Aligned course: SOC Analyst Fundamentals
Capstone reviewed by the founder, published rubric, Ed25519-signed verifiable credential on completion.
View the course →Free account
Save your results and track progress
A free account stores your assessments, recommendations, and an exportable copy of your Career DNA. No card needed.
Create your account →Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
By subscribing you agree to our privacy policy. Unsubscribe anytime.