Taskup Data Incident

Taskup Data Incident

Taskup Data Incident

On May 27, 2021, we were made aware that around 100 text clippings from AI Dungeon stories had been posted to 4chan. We immediately launched an investigation into the incident, determining the source to be a company named Taskup. AI Dungeon does not, and did not, use Taskup or any other contractor for moderation. We reached out to our AI vendor, OpenAI, to determine if they were aware of Taskup.

OpenAI informed us that they had conducted an investigation and determined that their data labeling vendor was using Taskup. They found that a single contractor employed by Taskup was responsible. The contractor’s job was to label data as part of OpenAI's effort to identify textual sexual content involving children, including some AI Dungeon data that was shared without our knowledge or permission. The contractor posted parts of stories to 4chan. OpenAI informed us they stopped sending samples to this vendor.

What heightened the sensitivity of this leak was the Taskup contractor claimed to have access to doxxable information on an AI Dungeon player. Although this information was never publicly released, we understand a player may have entered real names and locations into their adventure, and that this may have been present in the data the Taskup contractor accessed. AI Dungeon has not, and does not, solicit personal information outside of email addresses used for logging into the system. We have zero tolerance for doxxing in our community.

We made the mistake of waiting to disclose this incident to our players. Our legal counsel at the time advised us not to share publicly until we had fully reported to all GDPR jurisdictions. This was unnecessary, and a mistake. We’re no longer working with that legal team. Another factor that contributed to the delayed disclosure was that, at the time, OpenAI required that all communications be approved by their team, and permission to disclose took longer than we would have liked.

Since this incident, we now require greater data protection protocols from our tech providers to prevent issues like this from occurring again. OpenAI is no longer our primary AI provider.

We have also changed our communication strategy around any major events impacting players. We demonstrated this recently in Aug 2022 when our S3 servers were accessed. We informed our community immediately, updated whenever we had new information, and communicated with affected players and the broader community after the issue was identified and resolved. Nick, our CEO, also led a Q&A in our Discord server to discuss the incident and the changes we made afterward. Our goal is to be transparent, prompt, and clear in all communications.

We continue to listen to our players’ feedback, especially on topics around filters, moderation, and privacy. Through the improvements and changes we’ve made (and will continue to make) we hope we can regain the trust of players who were impacted by our mistakes.


© Latitude 2023