27 July 2025
Random News

The latest AI News – DNAI Vision

Decoding Tomorrow's Artificial Intelligence , Today

Senior IT Project manager

Adrien CIRET

Cybersecurity Specialist - IAG Junior Consultant

Youssef AGHZERE

Trending Articles

Non classé
Beyond the Firewall: Trusting AI with Cybersecurity’s Future
Artificial Intelligence
The Economic Impact of Generative AI: Trillions by 2030 and Beyond
Artificial Intelligence
Cybersecurity
User Data Management by OpenAI: Collection, Storage, Processing, Sharing, Security, and Use
Artificial Intelligence
Generative AI
Mind-Blowing AI: Are Neural Networks Creating TRUE Intelligence or Just the Ultimate Impostors?

When Your Chatbot Betrays You: Inside the Attacks That Leak Private AI Conversations

Youssef AGHZERE013 mins

Overview

In an era when AI chatbots have seamlessly woven into our personal and professional lives, a series of startling security failures has laid bare how easily private conversations can be weaponized by attackers. On March 20, 2023, OpenAI was forced to freeze ChatGPT after a race condition in the redis-py library exposed chat titles – and in rare cases, billing details – to other users. Just over a year later, an arXiv study demonstrated that both ChatGPT-4 and its GPT-4o variant are vulnerable to prompt-injection attacks, enabling malicious actors to siphon personal data by embedding covert commands into innocuous text. Around the same time, “divergence attacks” – such as instructing the model to repeat “poem” indefinitely – caused chatbots to break alignment safeguards and regurgitate fragments of their training data, including email signatures and phone numbers. More recently, the “Imprompter” payload tricked Mistral’s LeChat into exfiltrating entire conversation logs to attacker-controlled servers with nearly 80 % success. In response, OWASP placed prompt injection at the top of its 2025 LLM Top 10 risks and ranked sensitive-information disclosure second, underscoring the urgency of robust input sanitization, strict data isolation, and transparent retention policies. These high-profile breaches expose a simple yet alarming truth: without layered defenses and continuous vigilance, our most private AI-mediated conversations may never truly be private.

The Evolution of AI Chatbots and Data Practices

AI chatbots have evolved from rigid, rule-based scripts to sophisticated generative models trained on vast text corpora, transforming customer service, personal assistants, and enterprise workflows with near-human fluency. Under the hood, most chatbots maintain ephemeral sessions – discarding conversation histories once the browser window closes – while optional features like ChatGPT’s “memory” store user preferences and past details to personalize future interactions. These systems rely on in-memory caches such as Redis, durable databases, and logging pipelines that capture metadata, user identifiers, and sometimes message contents for analytics or retraining. By default, providers anonymize and retain logs for continuous model improvement, though users may opt out; this dual mandate of personalization and data reuse raises critical questions about consent, duration of storage, and the risk that private data may resurface unexpectedly.

Attack Vectors: From Infrastructure Flaws to Linguistic Exploits

Redis-py Race Condition

On March 20, 2023, a misconfiguration triggered a surge in canceled Redis commands, causing the redis-py client’s shared connection pool to return stale data belonging to other users. During a nine-hour window, approximately 1.2 % of ChatGPT Plus sessions saw other users’ chat titles – and, in a handful of cases, names, emails, billing addresses, card types, expiration dates, and the last four credit-card digits – until OpenAI patched the library and added redundant user-ownership checks.

Prompt-Injection Exploits

Prompt injection leverages an LLM’s inability to distinguish instructions from data, embedding malicious directives in user input that hijack the model’s generation process. In May 2024, Gregory Schwartzman revealed that ChatGPT-4 and GPT-4o could be induced – without third-party tools – to exfiltrate personal data by embedding covert “monitor and report” commands and exploiting the memory feature to accumulate stolen details across sessions.

Divergence Attacks

A divergence – or “repeat-loop”- attack instructs the model to repeat a token such as “poem” or “book” indefinitely. After hundreds of iterations, internal filters momentarily fail, causing the chatbot to bleed verbatim excerpts from its training set, including personal email signatures, phone numbers, and copyrighted text. Dropbox engineers later demonstrated multi-token variants that bypassed OpenAI’s single-token safeguards, extracting memorized data from both GPT-3.5 and GPT-4 even after initial patches.

Agent-Based Exfiltration: Imprompter

In mid-2024, researchers from UC San Diego and Nanyang Technological University introduced “Imprompter,” an obfuscated payload that tricks chatbots like Mistral’s LeChat into routing stolen chat logs to attacker-controlled domains. By disguising commands as random data, Imprompter achieved nearly 80 % success rates, especially when LLMs possess URL-and-tool access.

Case Studies in Detail

Redis-py Incident (March 2023)

OpenAI’s post-mortem disclosed that a race condition in redis-py exposed chat titles and partial billing data to other users for nine hours, affecting 1.2 % of ChatGPT Plus subscribers. The fix involved patching redis-py, isolating user namespaces, and validating ownership before rendering histories.

Prompt-Injection Study (May 2024)

Schwartzman’s arXiv paper showed attackers embedding hidden directives within prompts to force the model to leak personal data. The vulnerability spanned all users and was amplified by memory features that retained stolen details across sessions.

Divergence Attack (“Poem Forever,” Dec 2023)

Security researchers from Google DeepMind, Cornell, CMU, and others prompted ChatGPT to repeat “poem” ad infinitum, triggering a “meltdown” where 3 % of generated text contained exact training-data memorization – email signatures, contact info, and code snippets.

Imprompter Payload (July 2024)

The Imprompter attack leveraged obfuscated prompts to exfiltrate entire chat histories from Mistral’s LeChat with an 80 % success rate, highlighting the risks when LLMs can access external tools and URLs.

Impact, Risks, and Regulatory Landscape

These incidents have exposed personally identifiable information (PII), business secrets, and fragments of copyrighted content to potentially millions of users. Even a 1 % leak rate in services with tens of millions of daily sessions can compromise hundreds of thousands of records, leading to reputational damage, legal liabilities under GDPR and CCPA, and hefty fines. Regulators are already scrutinizing AI under existing data-protection frameworks: the European Data Protection Board has signaled that uncontrolled “memory” features may constitute unlawful profiling, while the forthcoming EU AI Act is expected to impose stringent transparency and audit requirements.

Defenses and Best Practices

Architectural protections such as per-user namespaces, encryption at rest, and strict connection-pool hygiene can prevent cross-session bleed. Runtime mitigations include input sanitization to detect repeated-token loops and suspicious prompt patterns, rate limiting to throttle automated exfiltration attempts, and adversarial red-teaming to uncover novel jailbreaks. Policy controls, opt-out mechanisms for data retention, auto-purge policies within 24 hours, and transparent user consent flows, are essential to uphold privacy and trust. Industry standards like the OWASP Top 10 for LLM Applications 2025 place prompt injection at #1 and sensitive-data disclosure at #2, offering detailed checklists for developers and security teams.

Conclusion

The cat-and-mouse game between attackers and defenders in AI chatbots reveals a simple truth: security is only as strong as its weakest link, whether that resides in an open-source dependency, a model’s internal logic, or a lax data-retention policy. By learning from the redis-py outage, prompt-injection exfiltrations, divergence attacks, and agent-based payloads like Imprompter, organizations can build more resilient systems. Proactive measures (data isolation, input filtering, continuous monitoring, and compliance with evolving AI regulations) will be pivotal in safeguarding the next generation of generative AI. Vigilance and collaboration across the AI ecosystem are the only ways to ensure that our most private conversations remain private.

References

  • OpenAI, “March 20 ChatGPT outage: Here’s what happened,” OpenAI Blog, March 2023. OpenAI
  • Help Net Security, “A bug revealed ChatGPT users’ chat history, personal and billing data,” March 27 2023. Help Net Security
  • The Hacker News, “OpenAI Reveals Redis Bug Behind ChatGPT User Data Exposure Incident,” March 25 2023. The Hacker News
  • Gregory Schwartzman, “Exfiltration of personal information from ChatGPT via prompt injection,” arXiv:2406.00199, May 31 2024. arXiv
  • WIRED, “ChatGPT Spit Out Sensitive Data When Told to Repeat ‘Poem’ Forever,” October 2023. WIRED
  • Dropbox Tech, “Evolution of repeated token attacks on ChatGPT models,” June 2023. dropbox.tech
  • WIRED, “This Prompt Can Make an AI Chatbot Identify and Extract Personal Details From Your Chats,” October 2024. WIRED
  • ArXiv, “Imprompter: Tricking LLM Agents into Improper Tool Use,” arXiv:2410.14923, October 2024. arXiv
  • OWASP, “OWASP Top 10 for Large Language Model Applications 2025,” PDF, April 2025. OWASP
  • OWASP GenAI, “LLM01: Prompt Injection,” OWASP LLM Risk Framework. OWASP GenAI
  • Sonatype, “OpenAI data leak and Redis race condition vulnerability that remains unfixed,” Sonatype Blog, March 2023. Sonatype
  • Bitdefender “AI chatbots can be tricked by hackers into stealing your data,” October 22 2024. bitdefender.com

Leave a Reply

Your email address will not be published. Required fields are marked *

Related News