OpenAI Introduces ChatGPT Account Security Controls

▼ Summary
– OpenAI introduced Lockdown Mode for ChatGPT, an optional setting that limits outbound network requests to block data theft via prompt injection.
– Lockdown Mode was first offered to enterprise plans in February and reached personal and self-serve business accounts in early June.
– The feature prevents data exfiltration by choking off the attacker’s route, but disables live connector access, write actions, and Developer Mode.
– The second control, Active Sessions, lets users audit logged-in devices and end sessions, with full sign-out taking up to 30 minutes.
– Active Sessions is unavailable for accounts using single sign-on (SSO) and does not track third-party app sessions or Codex CLI logins.
ChatGPT users now have two new ways to lock down their accounts: an optional setting to block data theft via prompt injection and a dashboard to track and manage active sign-ins.
OpenAI’s first addition, Lockdown Mode, is a voluntary security toggle that restricts how deeply ChatGPT can interact with the web and external services. Initially rolled out to enterprise plans back in February, the feature started reaching personal and self-serve business accounts in early June.
The threat it addresses is far from theoretical. Researchers have repeatedly demonstrated how a single hidden instruction buried in a webpage or file can siphon data from a linked inbox or expose a user’s entire conversation history.
Rather than trying to intercept the malicious prompt itself, Lockdown Mode attacks the final stage of the attack: it cuts off the outbound network requests an attacker would use to ship stolen data out of the system. The injected text still reaches the model undisturbed, hidden within a web page or document, but the model can no longer send anything back.
Cybersecurity expert and prominent open-source developer Simon Willison, who first popularized the term prompt injection, praised the approach. “This looks really good to me,” he wrote on his blog over the weekend.
Willison has long argued that the most effective defense against prompt injection is to block the attacker’s exfiltration route. Lockdown Mode does exactly that, using deterministic controls that a compromised model cannot override.
But he also noted that the feature’s existence implies ChatGPT’s default configuration cannot fully prevent a determined data theft attempt.
There is a trade-off: enabling Lockdown Mode disables live connector access and write actions, sidelining tools like the Finances feature and shopping agents. It also cannot run simultaneously with Developer Mode. OpenAI has positioned the setting for users and organizations handling sensitive data, rather than the general public.
The second control, Active Sessions, introduces session management to ChatGPT’s security settings. It lets users audit exactly where their account is currently logged in. Each session entry displays:
- The device or browser usedUsers can terminate a single session or sign out from everywhere at once, though a full logout can take up to 30 minutes. If anything looks suspicious, OpenAI recommends changing the password, reviewing sign-in methods, and contacting support.One notable gap remains for larger organizations: the feature is not available on accounts that use single sign-on (SSO), including SAML and OpenID Connect. It also does not track third-party app sessions or Codex CLI logins.





