ChatGPT is leaking unhashed PII in network traffic (twitter.com)

Researchers and security analysts have reported that ChatGPT clients were observed transmitting unhashed personally identifiable information (PII) in network traffic. The issue reportedly involved user-identifying fields — such as names, emails, or other form data — being included in outgoing requests or telemetry payloads in cleartext or without adequate hashing/redaction, allowing intermediaries, logs, or third-party endpoints to capture sensitive data. While specifics vary by client, the core problem is the lack of client-side data minimization and proper redaction before network transmission. This matters to the AI/ML community because exposed PII breaks privacy guarantees, increases regulatory risk (GDPR, CCPA), and can leak sensitive training signals that contaminate datasets or enable user re-identification. Technically, attackers or network observers can gather persistent identifiers from traffic logs, referrer headers, or telemetry streams; downstream storage without redaction amplifies the risk. Immediate mitigations include updating to patched clients, disabling nonessential telemetry, ensuring all endpoints use end-to-end encryption and strict logging policies, hashing/salting or tokenizing identifiers client-side, and auditing SDKs and proxy configs for inadvertent header or payload leakage. Long-term fixes should enforce strict data-minimization by design, transparent retention policies, and third-party audits to prevent future leaks.