Editor's take: The glitch illustrates the complexity of integrating generative AI systems with real-time search data. Scraping search results across public infrastructures raises both technical and ethical challenges that AI developers are still working to manage.
A quiet but troubling anomaly emerged in September when developers using Google Search Console began spotting chat-style text strings inside their search traffic reports. Instead of the short search phrases usually logged by the analytics tool, some entries appeared to contain entire ChatGPT prompts written by real users, often describing personal or work-related problems.
Google Search Console is designed to show how people find a website through Google Search. What startled site managers was that these new entries looked nothing like search terms. They resembled private conversations with a chatbot, recorded inside a system built for web traffic analytics.
The anomaly was first reported by Jason Packer, founder of the analytics firm Quantable, who published an investigation on his company's blog. Working with web optimization consultant Slobodan Manić, Packer spent weeks reproducing the issue, testing different inputs, and probing how ChatGPT's search functions interacted with Google's indexing systems. What they found led to a conclusion that raised privacy questions far beyond a simple glitch.
According to Packer and Manić's testing, some ChatGPT sessions unintentionally routed user prompts to Google Search. The pair traced the behavior to a specific URL pattern – https://openai.com/index/chatgpt/ – that repeatedly appeared at the beginning of the leaked queries. When Google tokenized that address, it split it into separate search terms ("openai," "index," "chatgpt"), and websites ranking highly for those terms saw the resulting data surface in their Search Console dashboards.
In other words, if ChatGPT submitted a prompt that triggered an external search, Google sometimes treated parts of that prompt itself as a search query and recorded it as such. To anyone managing an affected website, that leaked prompt would appear among their traffic data.
OpenAI acknowledged the issue but described it as a routing glitch that briefly impacted a small set of searches. The company said the problem had been resolved and declined to elaborate. Packer welcomed OpenAI's quick fix but noted that the company had sidestepped the larger question – whether the incident confirmed ongoing scraping of Google Search results to feed ChatGPT responses.
The issue appeared to involve ChatGPT's "web browsing" behavior, introduced in newer GPT-5 models. Typically, the chatbot performs a web search when it determines that a prompt requires recent or externally sourced information. However, Packer and Manić discovered that one version of the chatbot's interface included a parameter – "hints=search" – that caused it to search nearly every time.
A bug in the prompt box apparently attached the referring URL to each query. When ChatGPT executed that search, Google recorded both the appended URL and the user's prompt. Because Search Console tracks the full search queries users enter, those text strings became visible to site owners monitoring traffic data under those tokens.
Packer concluded that the system must have interacted directly with Google's indexing infrastructure rather than via a private API. "If it had been an API or a private data channel, it wouldn't appear inside Search Console," he wrote. The accidental visibility strongly implied that ChatGPT was performing live Google searches, effectively sharing user-submitted text with both Google and any websites that surfaced in those results.
OpenAI maintains that only a small number of search queries leaked. It has not provided a specific figure, leaving it unclear how many users among ChatGPT's roughly 700 million weekly users may have had text routed to Search Console.
The episode follows earlier privacy issues that surfaced when users discovered public links to their ChatGPT conversations indexed in Google's main search results. At the time, OpenAI said those leaks stemmed from users who unknowingly clicked a sharing toggle. This latest case, Packer emphasized, is different: no user action appears to have triggered it.
"There was no consent mechanism involved," he told Ars Technica. "Nobody clicked 'share.' These prompts were just misrouted." Unlike public pages, Search Console entries cannot simply be removed by the affected users, leaving the exposed text visible to any site owner whose page ranked for the relevant search terms.
The researchers suspect the malfunction may intertwine with a separate phenomenon observed by search-engine analysts known as "crocodile mouth" – a widening gap in Search Console charts where impressions spike but clicks fall. If OpenAI's systems were repeatedly hitting Google with long synthetic queries, they could have distorted those analytics patterns.
Packer and Manić say they still do not know whether the fix OpenAI implemented prevents all forms of prompt leakage or only stops the specific routing behavior tied to the buggy URL. For now, they remain cautious. "We don't know if it was limited to one interface or if it affected a broader set of sessions," Packer said. "Either way, it's a sign that the systems powering these tools still handle user data in unpredictable ways."