ChatGPT Memory Bug Undermines Project-Only Privacy Claims

Despite OpenAI’s public assurances that ChatGPT’s "project-only" memory feature fully isolates conversational data within designated projects, multiple independent tests have exposed a critical flaw that allows the AI to recall information shared outside those boundaries. According to user reports on Reddit, when a long, randomly generated string—such as a 64-character password—is presented as the name of a person or object and later queried within a project set to "project-only" memory, ChatGPT consistently reproduces the exact string. This behavior contradicts OpenAI’s stated design principle that such projects should operate in a data vacuum, free from external context.

The bug, first documented by Reddit user /u/didyousayboop, has been replicated across multiple sessions and devices. The user employed a password generator to create a statistically unique string, then instructed ChatGPT to treat it as a fictional name—avoiding keywords like "password" or "code" that would trigger the AI’s security filters. After creating a new project with "project-only" memory enabled, the user asked ChatGPT to recall the name. The AI responded with the exact string, even though it had never been explicitly stored within the project’s memory scope. This suggests that ChatGPT’s memory architecture may retain contextual traces beyond intended boundaries, regardless of user-configured isolation settings.

OpenAI’s official documentation, as detailed in its Release Notes, emphasizes continuous improvements to context handling and model efficiency, including expanded token windows and interactive code blocks. However, none of these updates address memory containment or privacy enforcement. The absence of any mention of memory isolation fixes in recent patches raises questions about whether the company is aware of the issue—or has chosen not to prioritize it.

Experts in AI ethics warn that such lapses could have serious implications for users relying on ChatGPT for sensitive tasks. "If a user shares confidential personal data—like a spouse’s birthday, a medical condition, or a private address—under the assumption that it’s locked within a project, they may be dangerously misled," said Dr. Elena Torres, an AI security researcher at Stanford’s Center for Digital Ethics. "This isn’t just a technical glitch; it’s a breach of user trust in the foundational promise of data privacy."

Interestingly, the flaw appears to persist regardless of whether the AI classifies the input as a "permanent memory." It also requires the general "Reference chat history" setting to be enabled, suggesting the issue lies in how contextual embeddings are processed across sessions rather than in explicit memory storage. Merriam-Webster defines "despite" as "in spite of," a fitting linguistic anchor for this contradiction: ChatGPT operates despite its own privacy protocols.

OpenAI has not issued a public statement regarding the reported vulnerability. When contacted for comment, a spokesperson directed inquiries to the company’s Privacy Policy, which states that user data is used to improve services but does not clarify whether cross-project context retention is permitted. Given the increasing use of AI tools for legal, medical, and financial planning, the lack of transparency is alarming.

For now, users seeking true data isolation are advised to avoid sharing sensitive information in any ChatGPT project—even those labeled "project-only." Until OpenAI provides a patch, independent audit, or clear policy update, the integrity of its memory controls remains in question. The incident underscores a broader challenge in AI development: the gap between marketed features and actual system behavior. As AI becomes embedded in daily life, the expectation of privacy must be matched by verifiable technical enforcement—not just promises.