OpenAI Adds ChatGPT Lockdown Mode to Curb Prompt-Injection Data Exfiltration
OpenAI has begun rolling out Lockdown Mode for ChatGPT accounts as an optional security setting designed to reduce data exfiltration risk from prompt-injection attacks. The feature is available for eligible personal users across Free, Go, Plus, Pro, and self-serve ChatGPT Business plans, with reporting also indicating availability for managed enterprise workspaces. When enabled, it restricts or disables capabilities that create outbound paths to external services, including live web browsing, image retrieval or support, deep research, agent mode, Canvas networking approvals, and external file downloads.
OpenAI said the control is intended for people handling sensitive data, but warned it does not prevent prompt injections from reaching model context, stop manipulated responses, or guarantee complete prevention of data leakage. The company added that Lockdown Mode cannot be used at the same time as Developer Mode and does not change memory, file upload, or conversation-sharing behavior. For enterprise use, OpenAI said protection also depends on administrator controls such as RBAC, trusted app settings, and connector permissions, while residual risk remains through third-party apps, feature combinations, and emerging attack techniques; it also introduced session-management tools so users can review active ChatGPT sessions and sign out of individual or all sessions if suspicious activity is detected.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
OpenAI expands ChatGPT Lockdown Mode to all plans
ZDNET reports that OpenAI expanded ChatGPT Lockdown Mode availability from select organizational or eligible subscribers to all ChatGPT plans, including Free, Plus, Pro, Business, Enterprise, Edu, Healthcare, and Teachers. The rollout remained in progress, so the setting might not yet have been visible in every account.
OpenAI adds ChatGPT session management controls
OpenAI also introduced a session management capability that allows users to review active ChatGPT sessions and log out of individual sessions or all sessions if unauthorized activity is suspected.
OpenAI rolls out ChatGPT Lockdown Mode
OpenAI started rolling out an optional Lockdown Mode for eligible ChatGPT accounts to reduce data exfiltration risk from prompt-injection attacks by restricting tools and outbound network access. The feature is described as available for personal accounts, self-serve ChatGPT Business users, and in one report, managed enterprise workspaces.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Comment le nouveau mode Verrouillage de ChatGPT vous protège cont ...
zdnet.fr
Open sourceOpenAI Expands ChatGPT Lockdown Mode to Millions of Eligible Users
techrepublic.com
Open sourceOpenAI представила Lockdown Mode, защищающий от последствий промпт-инжектов - Хакер
xakep.ru
Open sourceHow ChatGPT's new Lockdown mode protects you from data theft (and what else it does) | ZDNET
zdnet.com
Open sourceChatGPT Lockdown Mode: New Security Update
securityonline.info
Open sourceNew ChatGPT Lockdown Mode to Mitigate Prompt Injection and Data Exfiltration Risks - Cyber Security News
cybersecuritynews.com
Open sourceNew ChatGPT Lockdown Mode Limits Tools That Could Enable Data Exfiltration
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
OpenAI Adds ChatGPT Lockdown Mode and Elevated Risk Labels to Reduce Prompt-Injection Exfiltration
OpenAI introduced **Lockdown Mode** and **Elevated Risk** labels in *ChatGPT* to reduce exposure to **prompt injection** and related data-exfiltration risks when AI features interact with external systems. Lockdown Mode is positioned as an optional, advanced setting for higher-risk users and environments (notably *ChatGPT Enterprise*, *Edu*, *for Healthcare*, and *for Teachers*) that restricts tool access and limits how ChatGPT can reach outside systems; reported controls include disabling or constraining capabilities attackers could abuse via conversations or connected apps, and limiting browsing so that no live network requests leave OpenAI-controlled infrastructure (with browsing constrained to cached content). Admins can enable the setting via workspace controls and apply additional restrictions through dedicated roles, while Elevated Risk labels provide in-product warnings and guidance for features that increase risk when connecting to apps or the web, including across *ChatGPT*, *ChatGPT Atlas*, and *Codex*. Separate research highlighted how AI assistants with web-browsing/URL-fetching features can be abused as stealthy **command-and-control (C2) relays**, demonstrating a technique against **Microsoft Copilot** and **xAI Grok** that tunnels operator commands and victim data through legitimate AI web interfaces and can work without an API key or registered account. In parallel, the **European Parliament** reportedly disabled built-in AI tools on lawmakers’ work devices due to cybersecurity and privacy concerns about uploading sensitive correspondence to third-party cloud AI providers and uncertainty about what data is shared and retained. Other referenced material focused on general productivity customization of ChatGPT via “Custom Instructions,” rather than a specific security event or disclosure.
Mar 21, 2026
OpenAI's Ongoing Defense Against Prompt Injection Attacks in ChatGPT Atlas
OpenAI has implemented an automated attacker system to proactively test and strengthen the security of ChatGPT Atlas, its agentic web browser, against prompt injection attacks. These attacks involve embedding malicious instructions into content that the AI agent processes, potentially causing it to act against the user's interests. The company acknowledges that the very features making agentic browsers powerful also introduce persistent vulnerabilities, and that complete protection from prompt injection is unlikely. OpenAI's approach leverages AI-driven red teaming to rapidly identify and address new attack vectors, aiming to stay ahead of evolving threats. A recent security update to Atlas was prompted by the internal discovery of a new class of prompt injection attacks using this automated red-teaming system. The attack surface for browser agents is broad, as they can interact with untrusted content from emails, documents, social media, and web pages, increasing the risk of harmful actions such as forwarding sensitive information or altering cloud files. OpenAI emphasizes that defending against prompt injection will be a continuous effort, likening it to an arms race similar to combating online scams, and stresses the importance of a rapid response loop to reduce real-world risks over time.
Mar 21, 2026
AI Prompt Injection and Data Leakage Vulnerabilities in OpenAI's ChatGPT and Atlas Browser
Tenable Research has identified seven novel vulnerabilities and attack techniques in OpenAI's ChatGPT, including indirect prompt injections, exfiltration of user data, and bypasses of safety mechanisms in the latest GPT-5 model. These vulnerabilities allow attackers to manipulate the large language model (LLM) through crafted inputs, potentially leading to the theft of private information from user memories and chat histories, even when users simply interact with ChatGPT. The research highlights that hundreds of millions of users could be at risk, as attackers can exploit these weaknesses to bypass safeguards and extract sensitive data without user awareness. The release of OpenAI's ChatGPT Atlas, an AI-powered browser that remembers user activities and acts autonomously, further amplifies these concerns. Security experts warn that features such as persistent memory and autonomous actions increase the attack surface, making the browser susceptible to prompt injection and other AI-specific vulnerabilities. The implications for enterprise security and privacy are significant, as these AI-driven tools become more integrated into business processes, necessitating new approaches to identity management, access controls, and oversight to mitigate the risks posed by advanced AI-enabled attacks.
Mar 21, 2026