AI Vulnerabilities and Genetic Data Breach: A Dual Perspective on Security Challenges

In recent revelations, researchers at Google’s DeepMind uncovered potential pitfalls in ChatGPT’s security when subjected to specific prompts. 

The experiment involved instructing the chatbot to endlessly repeat words such as “poem,” “send,” or “make.” 

Surprisingly, ChatGPT continued generating the intended prompt and eventually began producing nonsensical outputs.

We took ChatGPT offline Monday to fix a bug in an open source library that allowed some users to see titles from other users’ chat history. Our investigation has also found that 1.2% of ChatGPT Plus users might have had personal data revealed to another user. 1/2

— OpenAI (@OpenAI) March 24, 2023

Data Exposure and Retrieval

The research paper, authored by a team of ten individuals, with seven affiliated with Google DeepMind, disclosed the extent of data exposure. 

The findings indicate that, contrary to expectations, current alignment techniques fail to prevent memorization. 

The experiment successfully led ChatGPT to reveal various types of data, ranging from personally identifiable information and explicit content to paragraphs from books, poems, unique user identifiers, and even programming code segments.

Implications for AI Safety

Alastair Paterson, CEO of Harmonic Security, expressed concerns about the broader implications beyond ChatGPT. He pointed out the potential risk to less protected Language Model Models (LLMs), including open-source models prevalent in various third-party applications. 

Paterson emphasized the importance of robust risk management to prevent sensitive material from entering third-party LLMs.

Challenges Ahead

While acknowledging the swift response to address the vulnerabilities in ChatGPT, Paterson highlighted the broader challenge in securing other less-protected LLMs. 

i dont think the ChatGPT "training data leak" is that rare or hard to trigger. you can simply paste very long input and get weird behavior every time. i pasted a kernel .c file, and asked it what the last 5 lines i sent were, and it responded with 5 lines of someone elses convo

— h0mbre (@h0mbre_) November 30, 2023

The inherent vulnerability of LLMs to such attacks highlights the critical need for stringent risk management practices to safeguard against data leaks.

Looking Forward

As generative AI models continue to evolve, these findings emphasize the ongoing journey toward achieving the desired level of safety. 

I think there is a data leak/mixup is happening with chat session names in ChatGPT today.

I see some random names are being added to my chat.

Ex: I asked a question on my react app code to modify.
– And the ChatGPT answered the question, but added “Japanese anime… pic.twitter.com/oP4uRFrWCt

— Vinod Varma (@vinodvarma24) November 26, 2023

The incident with ChatGPT serves as a reminder of the potential risks associated with sensitive data entering AI models. Vigilance, proactive measures, and continuous improvement in alignment techniques are imperative to mitigate such vulnerabilities.

23andMe Security Breach: A Deep Dive

The 23andMe, a leading direct-to-consumer genetic testing service, disclosed a security breach that exposed the ancestry data of millions of its users. 

1/2 A threat actor has allegedly leaked data from 23andMe @23andMe. They claim the data has a list of half of the users of 23andMe; 7 million. The data includes a lot of confidential information. #23andMe #DNA #Clearnet #DarkWeb #DarkWebInformer #Database #Leaks #Leaked pic.twitter.com/OAj1m0gjgx

— Dark Web Informer (@DarkWebInformer) October 3, 2023

The investigation conducted by 23andMe indicates that hackers targeted only a “very small percentage” of accounts, approximately 0.1% of its expansive customer base of over 14 million genotyped customers.

The Modus Operandi: Credential Stuffing Attack

The breach, characterized as a credential-stuffing attack, involved the reuse of duplicate usernames and passwords on the 23andMe website. 

These compromised credentials, sourced from other websites, granted unauthorized access to a fraction of user accounts.

Scope of the Breach: What Was Compromised?

The compromised accounts granted access to user profiles and allowed the threat actor to scrape sensitive information shared by users in 23andMe’s DNA Relatives feature. 

The exposed data included names, sex, age, location, ancestry markers, and health-related information based on users’ genetics.

Immediate Financial Cost

The breach’s aftermath comes with a financial toll for 23andMe, estimating one-time expenses ranging between $1 million and $2 million in its fiscal quarter ending December 31st. 

Scraped them using the web interface probably pic.twitter.com/I0ujlOnvQG

— Adhocrates (@Adhocrates) October 5, 2023

These costs include technology consulting services, legal fees, and expenses related to third-party advisors. The incident has also triggered multiple class-action claims, adding uncertainty to the financial impact.

Strategic Measures Taken by 23andMe

In response to the breach, 23andMe implemented immediate measures, requiring all users to reset their passwords and introducing mandatory two-step verification. 

These actions aim to fortify cybersecurity defenses and mitigate the potential risks associated with the compromised data.

A Wake-Up Call for Data Holders

In an era where data is a prized possession, the 23andMe security breach is a wake-up call for companies entrusted with sensitive genetic information. 

The incident highlights the imperative for constant vigilance, proactive cybersecurity measures, and a commitment to safeguarding user data in the digital age.