ChatGPT Privacy Breach: User Prompts Accidentally Leaked into Google Search Console

A ChatGPT glitch just leaked private prompts into Google Search Console

Serving tech enthusiasts for over 25 years. TechSpot means tech analysis and advice you can trust. Editor's take: The glitch illustrates the complexity of integrating generative AI systems with real-time search data. Scraping search results across public infrastructures raises both technical and ethical challenges that AI developers are still working to manage. A quiet but troubling anomaly emerged in September when developers using Google Search Console began spotting chat-style text strings inside their search traffic reports. Instead of the short search phrases usually logged by the analytics tool, some entries appeared to contain entire ChatGPT prompts written by real users, often describing personal or work-related problems. Google Search Console is designed to show how people find a website through Google Search. What startled site managers was that these new entries looked nothing like search terms. They resembled private conversations with a chatbot, recorded inside a system built for web traffic analytics. The anomaly was first reported by Jason Packer, founder of the analytics firm Quantable, who published an investigation on his company's blog. Working with web optimization consultant Slobodan Manić, Packer spent weeks reproducing the issue, testing different inputs, and probing how ChatGPT's search functions interacted with Google's indexing systems. What they found led to a conclusion that raised privacy questions far beyond a simple glitch. According to Packer and Manić's testing, some ChatGPT sessions unintentionally routed user prompts to Google Search. The pair traced the behavior to a specific URL pattern - https://openai.com/index/chatgpt/ - that repeatedly appeared at the beginning of the leaked queries. When Google tokenized that address, it split it into separate search terms ("openai," "index," "chatgpt"), and websites ranking highly for those terms saw the resulting data surface in their Search Console dashboards. In other words, if ChatGPT submitted a prompt that triggered an external search, Google sometimes treated parts of that prompt itself as a search query and recorded it as such. To anyone managing an affected website, that leaked prompt would appear among their traffic data. OpenAI acknowledged the issue but described it as a routing glitch that briefly impacted a small set of searches. The company said the problem had been resolved and declined to elaborate. Packer welcomed OpenAI's quick fix but noted that the company had sidestepped the larger question - whether the incident confirmed ongoing scraping of Google Search results to feed ChatGPT responses. The issue appeared to involve ChatGPT's "web browsing" behavior, introduced in newer GPT-5 models. Typically, the chatbot performs a web search when it determines that a prompt requires recent or externally sourced information. However, Packer and Manić discovered that one version of the chatbot's interface included a parameter - "hints=search" - that caused it to search nearly every time. A bug in the prompt box apparently attached the referring URL to each query. When ChatGPT executed that search, Google recorded both the appended URL and the user's prompt. Because Search Console tracks the full search queries users enter, those text strings became visible to site owners monitoring traffic data under those tokens. Packer concluded that the system must have interacted directly with Google's indexing infrastructure rather than via a private API. "If it had been an API or a private data channel, it wouldn't appear inside Search Console," he wrote. The accidental visibility strongly implied that ChatGPT was performing live Google searches, effectively sharing user-submitted text with both Google and any websites that surfaced in those results. OpenAI maintains that only a small number of search queries leaked. It has not provided a specific figure, leaving it unclear how many users among ChatGPT's roughly 700 million weekly users may have had text routed to Search Console. The episode follows earlier privacy issues that surfaced when users discovered public links to their ChatGPT conversations indexed in Google's main search results. At the time, OpenAI said those leaks stemmed from users who unknowingly clicked a sharing toggle. This latest case, Packer emphasized, is different: no user action appears to have triggered it. "There was no consent mechanism involved," he told Ars Technica. "Nobody clicked 'share.' These prompts were just misrouted." Unlike public pages, Search Console entries cannot simply be removed by the affected users, leaving the exposed text visible to any site owner whose page ranked for the relevant search terms. The researchers suspect the malfunction may intertwine with a separate phenomenon observed by search-engine analysts known as "crocodile mouth" - a widening gap in Search Console charts where impressions spike but clicks fall. If OpenAI's systems were repeatedly hitting Google with long synthetic queries, they could have distorted those analytics patterns. Packer and Manić say they still do not know whether the fix OpenAI implemented prevents all forms of prompt leakage or only stops the specific routing behavior tied to the buggy URL. For now, they remain cautious. "We don't know if it was limited to one interface or if it affected a broader set of sessions," Packer said. "Either way, it's a sign that the systems powering these tools still handle user data in unpredictable ways."

ChatGPT just accidentally leaked private chats into Google Search (again) -- how to stay safe

A routing bug exposed snippets of user chats inside Google's analytics tool If you've ever used ChatGPT to look something up online, you probably assumed your conversation was private -- even when the chatbot searched the web on your behalf. But a recent glitch proves that assumption might not always hold. Earlier this month, developers began noticing something strange in their Google Search Console dashboards. Instead of short keyword-based queries, they were seeing full, human-like sentences -- the kind you'd expect to type into ChatGPT, not Google. These oddly specific entries raised an eyebrow, then alarm. Unfortunately, this isn't the first time this has happened. What followed was a deeper investigation by analytics researcher Jason Packer and consultant Slobodan Manić. They traced the activity back to ChatGPT's web browsing mode, discovering that a subset of conversastions had accidentally leaked into the public search infrastructure, and ended up being visible to unrelated website owners. First reported by Ars Technica, the issue was tied to a hidden "hints=search" tag used in some ChatGPT sessions. That tag told the chatbot to perform a real-time web search -- but in doing so, parts of the user's prompt were sometimes included in the resulting URL. Since Google's systems automatically scan and index anything that looks like a search term, it picked up those URLs (and the private text inside them) and logged them in site owners' analytics dashboards. As stated in the report by Ars Technica, OpenAI acknowledged the glitch, stating that it affected only "a small set of searches" and has since been fixed. However, the company didn't say how long the issue persisted or how many users were impacted. Although the leak didn't expose passwords or personally identifiable information, it raises serious questions about how generative AI systems interact with public infrastructure like Google Search. ChatGPT's browsing mode is designed to operate in real time, and in this case, it inadvertently used live search pathways that made private input visible. This isn't the first time ChatGPT data has ended up in places it wasn't meant to. Earlier this year, users discovered that shared chat links were being indexed by Google. At the time, that was chalked up to users enabling a share setting. But this new glitch is more troubling since it didn't involve any user action at all. While OpenAI has fixed the routing issue, here are a few ways to protect your privacy when using any AI tool with web access: As AI tools continue to blend with web infrastructure, even small routing bugs can have unexpected consequences. Being mindful of what you type -- and how the tool is configured -- is your best first line of defense. This glitch goes beyond raising privacy concerns; it may have also messed with how websites track their traffic. While we still don't know for sure how AI broswers are truly determining website traffic, there is evidence that AI is behind a weird pattern showing up in analytics, called the "crocodile mouth." This phenomenon is when a site sees a big spike in how often it appears in search results (impressions), yet almost no one actually clicks on it. These spikes might have been caused by AI tools like ChatGPT sending out long, bot-like searches that aren't coming from real people. Even though OpenAI says the problem is fixed, the incident shows just how easy it is for a small bug in an AI system to ripple out and cause confusion on a much larger scale. As AI becomes more connected to the internet through AI browsers, it's important for users to be diligent about staying safe and be aware of possible risks.