Data Exfiltration & Privacy

Slack AI cross-channel data exfiltration

PromptArmor researchers showed that Slack AI could be manipulated through messages in public channels to leak sensitive data - including API keys - from private channels the attacker had no membership in. Slack initially classified the issue as expected behaviour before issuing a fix under public pressure.

Impact: Exposed that AI features bolted onto collaboration tools create lateral data-movement risk across permission boundaries that the underlying platform's own access controls do not anticipate.

DLP Outbound + Prompt Injection Detection + Audit Trail

Secure's DLP outbound scanner would have detected API keys in the response before delivery. The Protect layer's tamper-proof audit trail would have logged the full injection chain, and the injection detection would have flagged the indirect injection in the public channel message.

ChatGPT training data extraction

Researchers at Google DeepMind, ETH Zurich, and Berkeley demonstrated that repeating a single word thousands of times caused ChatGPT to regurgitate verbatim training data - including names, email addresses, phone numbers, and private content scraped from the internet.

Impact: Established that production LLMs memorise and can be induced to reproduce PII at scale. Led to GDPR right-to-erasure challenges against training data practices.

PII Outbound Detection + DLP Outbound + Prompt Injection Detection

The PII outbound scanner would have detected and masked SSNs, emails, and phone numbers in the extracted training data before delivery. The anomalous repetition pattern would have triggered the runaway detector and DLP outbound checks simultaneously.

ChatGPT plugin data exfiltration via cross-plugin request forgery

Security researcher Johann Rehberger demonstrated that malicious content in a webpage could inject instructions causing ChatGPT to use its plugins to send user conversation data to an attacker-controlled server via crafted image URLs - bypassing the content security policy.

Impact: Demonstrated that multi-tool agent architectures are vulnerable to cross-plugin request forgery - a class of attack with no precedent in traditional web security.

Prompt Injection Detection (Indirect) + Tool Validation + DLP Outbound

Secure's indirect injection scanner would have caught the injected instructions in the retrieved webpage content. Tool Validation would have blocked the out-of-scope API call to an external server. DLP outbound would have intercepted the data-carrying image URL before transmission.

EchoLeak - first zero-click LLM exploit, Microsoft 365 Copilot

Aim Labs disclosed CVE-2025-32711 (CVSS 9.3): an attacker sends an email with hidden markdown instructions; when the user later asks Copilot any question, the retrieval engine pulls the email into context and exfiltrates the user's most sensitive mailbox data via image-fetch URLs abusing allow-listed Microsoft domains - no click required.

Impact: The first publicly documented zero-click prompt injection in a production AI system. Demonstrated that RAG-powered enterprise copilots create a new class of passive, undetectable exfiltration vector.

Prompt Injection Detection (Indirect) + DLP Outbound + Audit Trail

The indirect injection scanner would have flagged the hidden markdown instructions pulled into context during retrieval. DLP outbound would have blocked the encoded data in the image-fetch URL. The full injection chain would have been captured in the tamper-proof audit log for forensic reconstruction.

ComPromptMized - zero-click AI worm

Researchers demonstrated ComPromptMized: a self-propagating worm that uses adversarial prompts in emails to instruct GenAI-powered email assistants to both execute the attacker's instructions and include the malicious prompt in the AI's output - causing it to spread to the next recipient's AI agent automatically.

Impact: Proof of concept for a new class of autonomous AI-to-AI attack vector. With no human interaction required, the attack surface scales with the number of connected AI agents.

Prompt Injection Detection + Multi-Agent Chain Tracing + Audit Trail

Secure's indirect injection scanner would have caught the adversarial prompt in the email content. Multi-agent chain tracing would have flagged the anomalous propagation pattern - the same payload appearing across multiple agents - triggering an automatic incident and quarantine.

RoguePilot: Exploiting GitHub Copilot for repository takeover

Orca Security researchers demonstrated that malicious content injected into repository files could manipulate GitHub Copilot into making unauthorised changes to code, secrets, and CI/CD configuration - effectively enabling a full repository takeover via an AI agent with write permissions.

Impact: Demonstrated that AI coding agents with write access create a novel supply-chain attack vector exploitable entirely through the AI, without compromising developer credentials.

Prompt Injection Detection (Indirect) + Tool Validation + Destructive Actions

Secure's indirect injection scanner would have flagged the malicious content in repository files during retrieval. Tool Validation would have blocked write operations outside the permitted tool scope. The Protect layer's audit trail would have captured every write action for forensic review.