ChatGPT suffered a cyberattack apparently tied to the Kremlin.
What's new: A ChatGPT outage on November 8 most likely was caused by a distributed denial of service (DDoS) attack, OpenAI revealed.
What happened: ChatGPT went down shortly before 9:00 a.m. Eastern Time and remained out of service for about 90 minutes. Intermittent outages of unknown cause had affected OpenAI and other services during the previous two days.
- Initially, OpenAI CEO Sam Altman claimed the outages reflected high user interest after OpenAI had announced new features earlier in the week. Later, the company stated that the traffic pattern suggested malicious activity consistent with DDoS.
- A group called Anonymous Sudan claimed responsibility. Anonymous Sudan has been linked to previous cyberattacks on Microsoft, X, NATO, the European Investment Bank, and a number of Israeli civilian and military institutions. The group purports to operate from Africa on behalf of oppressed Muslims around the world, but some cybersecurity analysts believe it’s linked to the Russian government.
- The outage followed less-critical incidents during the prior two days; the causes have not been reported. On November 8, DALL·E 3’s API showed elevated error rates throughout the day. The previous day, parts of OpenAI’s API were unavailable at times.
- ChatGPT competitor Claude 2 also reported services issues on November 8 due to an unknown cause.
DDoS basics: In a DDoS attack, malicious programs running independently on numerous machines flood a website with requests, disrupting service. The distributed nature of the attack makes it difficult to trace or combat. Almost all cloud providers and large websites use DDoS mitigation services or their own technology to defend against such attacks. However, such defenses don’t always block an especially determined or resourceful attacker.
Why it matters: The ChatGPT outage is a sobering reminder that API-powered services are vulnerable to targeted attacks, and providers need to be proactive about protecting themselves and their users.
We're thinking: While no one likes downtime, it’s hard to defend against a state-sponsored DDoS. It’s a testament to OpenAI’s impact that just 90 minutes of downtime was felt around the world.