OpenAI Adds ChatGPT Lockdown Mode and Elevated Risk Labels to Reduce Prompt-Injection Exfiltration
OpenAI introduced Lockdown Mode and Elevated Risk labels in ChatGPT to reduce exposure to prompt injection and related data-exfiltration risks when AI features interact with external systems. Lockdown Mode is positioned as an optional, advanced setting for higher-risk users and environments (notably ChatGPT Enterprise, Edu, for Healthcare, and for Teachers) that restricts tool access and limits how ChatGPT can reach outside systems; reported controls include disabling or constraining capabilities attackers could abuse via conversations or connected apps, and limiting browsing so that no live network requests leave OpenAI-controlled infrastructure (with browsing constrained to cached content). Admins can enable the setting via workspace controls and apply additional restrictions through dedicated roles, while Elevated Risk labels provide in-product warnings and guidance for features that increase risk when connecting to apps or the web, including across ChatGPT, ChatGPT Atlas, and Codex.
Separate research highlighted how AI assistants with web-browsing/URL-fetching features can be abused as stealthy command-and-control (C2) relays, demonstrating a technique against Microsoft Copilot and xAI Grok that tunnels operator commands and victim data through legitimate AI web interfaces and can work without an API key or registered account. In parallel, the European Parliament reportedly disabled built-in AI tools on lawmakers’ work devices due to cybersecurity and privacy concerns about uploading sensitive correspondence to third-party cloud AI providers and uncertainty about what data is shared and retained. Other referenced material focused on general productivity customization of ChatGPT via “Custom Instructions,” rather than a specific security event or disclosure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
OpenAI introduces ChatGPT Lockdown Mode and Elevated Risk labels
OpenAI launched two new ChatGPT security features—Lockdown Mode and Elevated Risk labels—to reduce prompt injection, data exfiltration, and other advanced threats when AI tools connect to external systems. Lockdown Mode was made available as an optional setting for certain business and regulated offerings, while Elevated Risk labels were added across ChatGPT, ChatGPT Atlas, and Codex to warn users about higher-risk features.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
How ChatGPT's new Lockdown Mode protects you from cyberattacks - and why it's not for everyone | ZDNET
zdnet.com
Open sourceChatGPT gets new security feature to fight prompt injection attacks - Help Net Security
helpnetsecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
OpenAI Adds ChatGPT Lockdown Mode to Curb Prompt-Injection Data Exfiltration
OpenAI has begun rolling out **Lockdown Mode** for ChatGPT accounts as an optional security setting designed to reduce data exfiltration risk from prompt-injection attacks. The feature is available for eligible personal users across Free, Go, Plus, Pro, and self-serve ChatGPT Business plans, with reporting also indicating availability for managed enterprise workspaces. When enabled, it restricts or disables capabilities that create outbound paths to external services, including live web browsing, image retrieval or support, deep research, agent mode, Canvas networking approvals, and external file downloads. OpenAI said the control is intended for people handling sensitive data, but warned it does **not** prevent prompt injections from reaching model context, stop manipulated responses, or guarantee complete prevention of data leakage. The company added that Lockdown Mode cannot be used at the same time as Developer Mode and does not change memory, file upload, or conversation-sharing behavior. For enterprise use, OpenAI said protection also depends on administrator controls such as **RBAC**, trusted app settings, and connector permissions, while residual risk remains through third-party apps, feature combinations, and emerging attack techniques; it also introduced session-management tools so users can review active ChatGPT sessions and sign out of individual or all sessions if suspicious activity is detected.
Jun 9, 2026
AI Chatbot Security Risks: Prompt Injection Data Exfiltration and Privacy Trade-offs in New Consumer Tiers
Researchers disclosed an **indirect prompt injection** technique against **Google Gemini** that used a malicious **Google Calendar invite** to bypass guardrails and exfiltrate private meeting details. By embedding a hidden natural-language payload in an event description, an attacker could cause Gemini—when later asked an innocuous scheduling question—to summarize a user’s private meetings and write that summary into a newly created calendar event; in many enterprise configurations, that new event could be visible to the attacker, enabling data theft without additional user interaction. The issue was reported as remediated after responsible disclosure, underscoring how AI assistants integrated with enterprise SaaS can create new cross-application data-extraction paths. Separately, OpenAI product rollouts raised enterprise data-handling concerns tied to consumer usage. **ChatGPT Go** (a low-cost tier) was described as introducing an **ad-supported** model that could increase exposure of conversation data and usage patterns to advertising ecosystems, amplifying “shadow AI” risk when employees use personal accounts for work. **ChatGPT Health** was positioned as a dedicated health experience with added protections (e.g., encryption/isolation and claims that user data is not used to train foundation models), but reporting highlighted unresolved questions around safety, privacy, and how sensitive health information is protected in practice—areas that may require additional governance and controls if employees adopt these tools outside approved enterprise channels.
Mar 21, 2026
AI Prompt Injection and Data Leakage Vulnerabilities in OpenAI's ChatGPT and Atlas Browser
Tenable Research has identified seven novel vulnerabilities and attack techniques in OpenAI's ChatGPT, including indirect prompt injections, exfiltration of user data, and bypasses of safety mechanisms in the latest GPT-5 model. These vulnerabilities allow attackers to manipulate the large language model (LLM) through crafted inputs, potentially leading to the theft of private information from user memories and chat histories, even when users simply interact with ChatGPT. The research highlights that hundreds of millions of users could be at risk, as attackers can exploit these weaknesses to bypass safeguards and extract sensitive data without user awareness. The release of OpenAI's ChatGPT Atlas, an AI-powered browser that remembers user activities and acts autonomously, further amplifies these concerns. Security experts warn that features such as persistent memory and autonomous actions increase the attack surface, making the browser susceptible to prompt injection and other AI-specific vulnerabilities. The implications for enterprise security and privacy are significant, as these AI-driven tools become more integrated into business processes, necessitating new approaches to identity management, access controls, and oversight to mitigate the risks posed by advanced AI-enabled attacks.
Mar 21, 2026