OpenAI Download Data Request not initiated by me, but all of my accounts are secured?
I received an email about 2 hours ago indicating a request to download the archive of my ChatGPT account was received and is being processed. I did not request this. The headers on the email indicate the email is real.
I logged into the OpenAI privacy portal by typing https://privacy.openai.com into the browser address bar. I validated the endpoint was legitimate through the shield icon in the browser.
I clicked where it said "2 Active Requests" in the top right of the page. Here's the problem,
- I had an active request in process as of two hours ago (approximately). I received the email notification of this.
- An active request was processed and completed three days ago (on April 17th), but I did not receive an email notification it was requested or ready.
I validated I could download the archive from the earlier request on the 17th. This was a valid archive. I cancelled the request from today.
From the security perspective,
- I have validated that I have MFA enabled on my OpenAI account (through my mobile authenticator only).
- I have validated that all available OpenAI auth methods (Google, Apple, and Microsoft) have themselves MFA enabled from my mobile authenticator (I never used OpenAI or ChatGPT with a traditional username and password).
- I have validated that my Google, Apple, and Microsoft accounts do not have any unknown active sessions or unknown logged in devices.
- I have validated there are no security events that have been recorded across any of these services related to my account over the last 28 days (or approximate period totaling 28 days per their account security review options).
- I have validated that all devices I use which access the above services (iPhone, Samsung phone, iPad, MacBooks, Windows Desktops) have the latest security updates. All devices also have some variation of BitDefender installed.
- All of my passwords are randomly generated and unique. Each password is stored in a password manager, and are updated at a minimum every 12 months.
- I have enabled MFA on any service which offers MFA. All of my MFA is centralized on a mobile authenticator, from one of the prior named services, on my iPhone only. My iPhone has never left my possession.
- I am very much so a "nobody", and not someone who would or should be any kind of person of interest.
- I have received no emails from OpenAI between March 27th and today (excepting the email today).
- The completed export of the account on the 17th (3 days ago) generated no emails; none on the request and none on the completion of the request.
I'm at a loss at this point. I've sent an email to privacy@openai.com but I'm just trying to brainstorm the who/what/where/when/how and looking for any suggestions anyone might have. The best brainstorming suggestion I've landed on was that OpenAI's compliance team initiated an export of my account internally, given that the previous request appears to have bypassed the portal's normal email verification and notification pipeline entirely?