ChatGPT Prompt Injection and Privacy Exposure Vulnerabilities
Tenable security researchers identified seven new methods to extract private data from ChatGPT chat histories, primarily through indirect prompt injection attacks that exploit default features such as conversation memory and web search capabilities. These vulnerabilities, present in the latest GPT-5 model, allow attackers to embed malicious instructions in web content, which can then be processed by ChatGPT's intermediary model, SearchGPT, during browsing or search operations. The architectural separation between ChatGPT and SearchGPT was intended to limit such risks, but researchers demonstrated that prompt injection remains a viable attack vector, potentially exposing sensitive user information without their knowledge.
Separately, a privacy incident was uncovered where highly sensitive ChatGPT user prompts were found leaking into Google Search Console reports, exposing private conversations to website administrators. Investigators suggested this may have resulted from OpenAI scraping Google Search with actual user prompts, though OpenAI only confirmed a temporary glitch affecting query routing and stated the issue was resolved. These incidents highlight ongoing privacy and security challenges in large language model deployments, especially regarding prompt handling, web integration, and the safeguarding of user data.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Researchers disclose self-prompt-injection attack against ChatGPT
CSO Online reported that researchers found a way to trick ChatGPT into prompt-injecting itself, revealing a new technique affecting the model's behavior and security posture. The disclosure represents a distinct technical finding separate from the chat log exposure report.
Ars Technica reports ChatGPT chat logs exposed in Google Analytics tool
Ars Technica reported that ChatGPT conversation logs, including embarrassing or sensitive exchanges, were found exposed through a Google Analytics-related tool. The article indicates a real-world disclosure of unintended data leakage involving ChatGPT user interactions.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AI Prompt Injection and Data Leakage Vulnerabilities in OpenAI's ChatGPT and Atlas Browser
Tenable Research has identified seven novel vulnerabilities and attack techniques in OpenAI's ChatGPT, including indirect prompt injections, exfiltration of user data, and bypasses of safety mechanisms in the latest GPT-5 model. These vulnerabilities allow attackers to manipulate the large language model (LLM) through crafted inputs, potentially leading to the theft of private information from user memories and chat histories, even when users simply interact with ChatGPT. The research highlights that hundreds of millions of users could be at risk, as attackers can exploit these weaknesses to bypass safeguards and extract sensitive data without user awareness. The release of OpenAI's ChatGPT Atlas, an AI-powered browser that remembers user activities and acts autonomously, further amplifies these concerns. Security experts warn that features such as persistent memory and autonomous actions increase the attack surface, making the browser susceptible to prompt injection and other AI-specific vulnerabilities. The implications for enterprise security and privacy are significant, as these AI-driven tools become more integrated into business processes, necessitating new approaches to identity management, access controls, and oversight to mitigate the risks posed by advanced AI-enabled attacks.
Jun 29, 2026
ChatGPT Vulnerabilities Enable Data Exfiltration via ShadowLeak and ZombieAgent
Security researchers at Radware have uncovered critical vulnerabilities in OpenAI's ChatGPT platform, specifically targeting its Connectors and Memory features. These flaws, named ShadowLeak and ZombieAgent, allow attackers to exfiltrate sensitive data from connected services such as Gmail, Outlook, and GitHub without user interaction. The attacks exploit the AI's tendency to follow embedded malicious instructions, enabling zero-click and one-click data theft, persistent access through memory modification, and even propagation to other users by harvesting email addresses. OpenAI initially attempted to mitigate these vulnerabilities by restricting dynamic URL modifications, but researchers demonstrated effective bypasses using pre-built static URLs, reviving the threat under the new moniker ZombieAgent. The vulnerabilities highlight the inherent risks of integrating AI assistants with external systems and storing long-term user data for personalization. Attackers can embed hidden prompts in emails or files—using techniques like white text or tiny fonts—that are executed when ChatGPT processes the content, leading to stealthy data leaks via OpenAI's own servers. Despite OpenAI's efforts to patch the flaws, the reactive nature of these fixes has left the platform susceptible to new variants, underscoring the ongoing challenge of securing AI-driven services against prompt injection and data exfiltration attacks.
Jun 29, 2026
AI Chatbot Security Risks: Prompt Injection Data Exfiltration and Privacy Trade-offs in New Consumer Tiers
Researchers disclosed an **indirect prompt injection** technique against **Google Gemini** that used a malicious **Google Calendar invite** to bypass guardrails and exfiltrate private meeting details. By embedding a hidden natural-language payload in an event description, an attacker could cause Gemini—when later asked an innocuous scheduling question—to summarize a user’s private meetings and write that summary into a newly created calendar event; in many enterprise configurations, that new event could be visible to the attacker, enabling data theft without additional user interaction. The issue was reported as remediated after responsible disclosure, underscoring how AI assistants integrated with enterprise SaaS can create new cross-application data-extraction paths. Separately, OpenAI product rollouts raised enterprise data-handling concerns tied to consumer usage. **ChatGPT Go** (a low-cost tier) was described as introducing an **ad-supported** model that could increase exposure of conversation data and usage patterns to advertising ecosystems, amplifying “shadow AI” risk when employees use personal accounts for work. **ChatGPT Health** was positioned as a dedicated health experience with added protections (e.g., encryption/isolation and claims that user data is not used to train foundation models), but reporting highlighted unresolved questions around safety, privacy, and how sensitive health information is protected in practice—areas that may require additional governance and controls if employees adopt these tools outside approved enterprise channels.
Jun 29, 2026