OpenAI bans paying developer who reported credential hijack with 7 months of proof

A long-term ChatGPT Plus subscriber spent seven months compiling evidence of a systematic credential hijack: 20 support tickets, documented account anomalies, memory corruption, and unauthorized access to project files. OpenAI acknowledged the case (ticket 06830839) and the persistent issues, yet the final resolution was not a fix, but a ban. The user, who had paid for the service throughout, was left locked out without explanation. This is not an isolated glitch. It is a pattern that exposes a fundamental tension in the AI industry: as platforms rush to monetize advanced features—memory, personalization, file storage—they are failing to build the account security and support escalation processes that paying users deserve.

The incident sits within a wider landscape of inconsistent security practices. Anthropic's Claude offers dedicated support channels for Pro and Team subscribers, but has faced community complaints about slow responses. Google's Gemini benefits from the parent company's mature account ecosystem—two-factor authentication, recovery flows, and enterprise-grade identity management—but consumer support remains heavily automated. Microsoft's Copilot, integrated with Azure Active Directory, provides robust credentials for business users, yet consumer-level issues still fall through cracks. The common thread is that no major AI platform has yet made transparent, human-in-the-loop security support a core feature. For a market valued at over $80 billion (OpenAI's 2024 valuation) and subscription revenue estimated at $2-3 billion annually, the cost of ignoring this is mounting.

The hidden risks extend beyond one user's frustration. Stolen credentials can expose sensitive data stored in ChatGPT's memory—personal schedules, confidential work projects, even creative IP. If a hijack goes unresolved, that data could be exfiltrated or manipulated. Moreover, banning the reporter of a hijack may violate internal terms of service and could trigger regulatory scrutiny under frameworks like the EU Digital Services Act, which mandates transparent dispute resolution for platforms serving EU users. There is also a risk that automated abuse-detection systems flag repeated support tickets as spam, effectively punishing the victim for trying to escalate. This creates a perverse incentive: users may stop reporting problems, leaving vulnerabilities unaddressed and trust eroded.

The bottom line is clear. AI companies that prioritize subscription growth over robust support and transparent account recovery are building on sand. As competitors improve their own security postures—and as regulators begin to scrutinize AI platform accountability—this incident should serve as a wake-up call. The next logical step is for the industry to adopt standardised security incident protocols, mandatory human review before account closures, and clear appeal processes. Otherwise, the very users who pay for advanced features will become the first to leave when trust breaks.