Who else is logged into your business's ChatGPT account right now? That's not a hypothetical question. Until June 2026, most ChatGPT users had no way to find out. Then OpenAI quietly shipped Active Sessions, a security panel that lists every device on your account and lets you boot the ones you do not recognise. For a Hong Kong SME owner who shares accounts across staff, logs in on borrowed laptops, or has never thought hard about AI account security, this is the closest thing to a free account audit you have ever had access to. This guide explains what Active Sessions is, why it matters for your business, and how to use it in under five minutes.
What Are ChatGPT Active Sessions?
ChatGPT Active Sessions is a security panel inside ChatGPT's Settings menu that shows every device, browser, and app currently signed into your account. Launched on 2 June 2026, it lets you review where your account is logged in and remotely sign out any session you do not recognise, directly from a single screen.
The feature is available to all ChatGPT account types: Free, Plus, Pro, Go, and self-serve Business accounts. The only exception is enterprise accounts that sign in through SSO (single sign-on), which manage sessions through the company's identity provider instead.
How Does the Active Sessions Panel Work?
The panel lists every active sign-in as a row. Each row shows five pieces of information: the device type (laptop, phone, or tablet), the app used (web, iOS, Android, or desktop app), the approximate location based on IP address, the sign-in date and time, and whether the device is marked as trusted. The session you are currently using is flagged so you do not accidentally lock yourself out.
Where to find it. Open ChatGPT. Click your profile picture. Go to Settings, then Security, then Active Sessions. On mobile the path is the same.
What you can do from there. You can sign out a single session by clicking "Log out" next to that row. You can also click "Log out of all sessions" to terminate every device at once, including the one you are using. Sign-out can take up to 30 minutes to propagate across all devices, so do not panic if the old session lingers briefly.
Why Active Sessions Matters for Hong Kong Small Businesses
For most Hong Kong SME owners, ChatGPT has become a daily working tool. You draft proposals, summarise meetings, write marketing copy, and occasionally upload client documents into it. That means your ChatGPT account now holds a paper trail of your business operations, almost as sensitive as your email inbox. If someone else gains access, they can read your entire chat history and continue conversations as if they were you.
Three real-world scenarios make this concrete. First, the shared-laptop problem: you signed into ChatGPT on your accountant's laptop during tax season last year and forgot to sign out. That session may still be active. Second, the ex-staff problem: a former employee used your shop's shared ChatGPT account, and you never changed the password after they left. Third, the phishing problem: someone enters your password through a fake login page, and you have no way to know they are now inside your account. Active Sessions solves all three by giving you a list you can review and clean up in under a minute.
According to OpenAI's June 2026 Trust & Safety update, account takeover is the most common security incident reported by ChatGPT business users, ahead of prompt injection and data leakage. Active Sessions is the most direct fix.
How to Use Active Sessions Step by Step
The full review takes about four minutes. Do this once a month, or immediately if you suspect anything unusual. The five steps below assume you are on a desktop browser; the mobile flow is nearly identical.
Step 1: Open the Active Sessions panel. Click your profile picture in the bottom-left corner of ChatGPT. Choose Settings, then Security, then Active Sessions.
Step 2: Scan the device list. Read each row. The session you are currently using is labelled "Current device". Your own phone and main laptop should be familiar. Any row showing a city you have not visited, a device you do not own, or a sign-in date you cannot account for is a red flag.
Step 3: Sign out unfamiliar sessions individually. Click "Log out" next to any row that does not belong to you. Confirm the prompt. The device will be signed out within 30 minutes.
Step 4: If you find anything suspicious, sign out everywhere. Click "Log out of all sessions" at the bottom of the panel. This terminates every device including your own. You will then sign back in from your usual devices. This is the fastest way to lock out an attacker.
Step 5: Change your password immediately. Active Sessions stops the active intrusion, but the attacker still knows your password. Set a new strong password, and turn on two-factor authentication in the same Security menu.
Common Misconceptions About ChatGPT Account Security
Three beliefs about ChatGPT security trip up most small business owners. Each one is partly true but leads to overconfidence.
Misconception 1: "My password is strong, so my account is safe." A strong password protects against guessing attacks, not against phishing pages, malware on a borrowed device, or a former employee who memorised it. Active Sessions catches the cases a strong password cannot.
Misconception 2: "Two-factor authentication is enough." Two-factor authentication blocks new sign-ins from unauthorised devices, which is excellent. But if someone got into your account before you enabled 2FA, that session can stay active for weeks. Active Sessions is the only way to find and kill those legacy sessions.
Misconception 3: "ChatGPT Free accounts are not worth attacking." Attackers do not target accounts by tier. They harvest credentials in bulk and try them against everything. Free accounts still carry your chat history, your saved memories, and your billing details if you have ever upgraded.
Active Sessions vs Other ChatGPT Security Settings
Active Sessions is one of three core security tools OpenAI introduced in 2026. Each protects against a different risk. Knowing which does what helps you build the right combination instead of relying on one feature.
---
Active Sessions answers the question "who is logged in right now?" It is reactive: you use it after the fact to clean up.
Two-factor authentication (2FA) answers the question "how do I make new sign-ins harder?" It is preventive: a hacker with your password still needs your phone.
Lockdown Mode answers the question "how do I limit what an attacker can do once they are in?" It restricts tools that could be abused to leak data through prompt injection, especially in shared business accounts.
---
For a Hong Kong SME, the right combination is all three: 2FA on every account, Active Sessions reviewed monthly, and Lockdown Mode enabled if multiple staff share a Business account.
How Often Should You Check Active Sessions?
For most small businesses, a monthly review is enough. Put it in the same calendar slot as your monthly bookkeeping or payroll. The check takes four minutes and creates a paper trail you can show if you ever face an insurance or compliance question about AI access controls.
There are three situations where you should check immediately rather than wait for the monthly cycle. First, when an employee leaves the company, especially if they had access to a shared account. Second, after you sign in to ChatGPT on any device that is not yours, such as a hotel laptop or a colleague's machine. Third, if ChatGPT shows you a chat or saved memory you do not remember creating. That is the clearest sign someone else has been using your account.
Frequently Asked Questions
Does signing out of all sessions delete my chats? No. Active Sessions only ends sign-ins. Your chat history, custom instructions, and saved memories all remain intact. You sign back in and everything is there.
How long does it take to fully sign out a remote device? Up to 30 minutes. The remote device may still appear responsive until the session token expires and forces a fresh login.
Can I tell whether someone was actively using my account, or only that they were signed in? Active Sessions shows sign-in time but not activity. To check what was done, scroll through your recent chat history and look for entries you did not create.
Is Active Sessions available in Cantonese or Traditional Chinese? The panel inherits whatever language you set in ChatGPT's interface settings. If your ChatGPT is set to 繁體中文, the labels will appear in Traditional Chinese.
What if my company uses ChatGPT Enterprise with SSO? Session management moves to your identity provider (Google Workspace, Microsoft Entra, Okta, etc.). Your IT administrator controls active sessions from that side, not from inside ChatGPT.
The Bottom Line for Hong Kong SME Owners
ChatGPT Active Sessions is the simplest security upgrade you can apply this week. It costs nothing, takes four minutes to use, and closes a gap that affected almost every ChatGPT account before June 2026. For a Hong Kong SME boss whose business runs through a small set of AI accounts, this is no longer optional hygiene. It is the new baseline.
The broader lesson is that AI tools have moved from experiments to operational infrastructure for small businesses. That shift requires the same care you give to your email, your accounting software, and your point-of-sale system. We understand AI. UD stands with you.
Ready to Audit Your Business's AI Setup?
Account security is one layer of a bigger picture. If you want to know whether your business is ready for AI as a daily tool, including which accounts to protect, which workflows to automate, and which tools fit your team, our AI Ready Check gives you a clear answer in 10 minutes. We will walk you through it step by step, and the assessment is free.
