In September this year, some developers using Google Search Console discovered an anomaly - chat-like text appeared in the website's search traffic report instead of the previous short search terms. These new entries look more like private conversations between users and chatbots about personal or work-related questions, rather than the site's usual search visitor requests.
Google Search Console was originally used to show how users access the website through Google search. To the shock of website administrators, the new content bore no resemblance to the search terms and looked more like private conversations with chatbots being logged into a system that was supposed to contain only traffic analysis data.
This anomaly was first published by Jason Packer, founder of the analytics company Quantable, on the company's blog. Working with website optimization consultant Slobodan Manić, he spent weeks replicating the experiment, testing different inputs, and tracking the interaction of ChatGPT's search functionality with Google's indexing system. The final findings revealed privacy risks that went far beyond a "mere malfunction."
According to Packer and Manić's testing, some ChatGPT sessions inadvertently route user prompts to Google searches. They traced it back to a specific URL pattern — https://openai.com/index/chatgpt/ — that appears repeatedly at the beginning of the leaked content. When Google performs word segmentation on the address, it will be parsed into "openai", "index", and "chatgpt". For websites that rank highly for these words, you can see that some ChatGPT user prompts are recorded in the Search Console backend.
In other words, if a user tip submitted by ChatGPT triggers an external search, Google will sometimes record the tip itself as the search term. For the administrators of the affected sites, the leaked prompt words will appear in the background as traffic data.
OpenAI acknowledged the issue, calling it "a routing glitch that briefly affected a small number of searches" and said it had been fixed without elaborating. Packer welcomed OpenAI's quick fix, but noted that the company had not addressed the larger question: whether the incident confirmed that ChatGPT continued to scrape Google search results to enhance its response.
This issue involves the "web browsing" behavior introduced by ChatGPT in the new version of the GPT-5 model - when the system determines that a prompt requires the latest or external information, a web search will be triggered. However, Packer and Manić discovered that there was a "hints=search" parameter in one version of the chat interface, which triggered a search almost every time.
Also, a bug in the input box caused the referrer URL to be appended to every query. In this way, every time ChatGPT performs a search, Google not only records the URL, but also the user's prompt. Because Search Console tracks the entire search string, this makes user prompts "fully visible" to the relevant site owner.
Packer believes the system interacts directly with Google's indexing infrastructure, rather than through a private API or internal data channel (which would otherwise not show up in Search Console). This unexpected visibility actually shows that ChatGPT is performing live Google searches and exposing user input to Google and all related sites.
OpenAI said that only a very small number of search requests were leaked and did not give a specific number, so it is not yet clear how many of its 700 million weekly active users were affected.
Previously, there was a problem where users found that their public links to ChatGPT were included by Google's main website. At that time, OpenAI claimed that the user had mistakenly operated the sharing switch. In this case, Packer emphasized that no user action triggered the leak. "There's no consent mechanism involved," he told Ars Technica in an interview. “No one clicked ‘share,’ and the prompt words were incorrectly routed.” Unlike public pages, entries in Search Console cannot be manually deleted by affected users, so the content will always be exposed to website owners who rank for relevant keywords.
Researchers suspect the anomaly may also be related to a phenomenon known in search engine analytics circles as the "crocodile's mouth" - a spike in impressions but a drop in clicks on the Search Console graph. If the OpenAI system repeatedly queries Google with a large number of synthetic queries, it is likely to distort these analysis data.
Packer and Manić are still unable to confirm whether OpenAI's fix completely blocks all types of prompt word leaks, or only solves a bug in the specific URL routing mechanism. They said they needed to continue to pay attention. "We don't know yet whether it only affects a certain interface, or whether it involves a wider range of conversations," Packer said. "In short, this reminds us that there are still many uncontrollable and unpredictable risks in the processing of user data by the systems behind these AI tools."