Claude’s reported “secrets leak” attack demonstrated a real prompt-injection exfiltration path through Claude’s then-allowed web_fetch link-following behavior and access to user memory, but it did not by itself prove random cross-user or cross-session memory bleed inside Claude’s base model. The clearest public account, from Simon Willison’s summary of Ayush Paul’s demo, says the proof of concept could reportedly leak limited profile details such as name, employer, and home city to an attacker-controlled site.
That distinction matters. A tool-enabled agent being tricked into visiting a malicious page and then exfiltrating data from its available context is a serious security failure; it is not the same claim as “the model randomly spills other users’ secrets.” Anthropic’s later engineering write-up describes the disclosed issue as one involving allowed-domain exfiltration and persistent memory poisoning and says the specific follow-on navigation path used in the demo was removed.
The demonstrated leak path was web_fetch link-following plus memory access
The reported attack worked because Claude could be induced to fetch attacker-controlled web content and then follow embedded links. That gave the attacker a route to deliver prompt-injection instructions through page content, have Claude read from the user’s available context or memory, and send selected details back out through a subsequent web request.
In Willison’s summary, the exposed information was reportedly limited personal profile data, including a user’s name, employer, and home city. That is a real privacy problem, but it is not a blanket dump of every Claude user record, and the public descriptions available here do not support that broader claim.
Anthropic’s own user-facing safety guidance says prompt injection becomes possible when Claude is given access to untrusted external content or tools that can read or act on data. In other words, once an agent can browse, read remote content, and act on instructions embedded in that content, the web page is no longer just data. It is also input to the model’s control loop.
That is the same broad class of problem that shows up in other agent environments. In our earlier coverage of a Claude Code harness leak analysis, the load-bearing question was not whether the base model had mystical access to secrets, but whether the surrounding tool chain gave it a path to read and transmit them.
Anthropic’s engineering post makes the mechanism more concrete. The company says a third-party researcher disclosed an issue where Claude could be induced to exfiltrate data to an attacker-controlled domain by navigating through allowed web content. Anthropic also discusses persistent memory poisoning in the same write-up, meaning an attacker could potentially plant instructions or malicious content in memory that would be available later to the assistant. That is ugly enough without inflating it into a claim the evidence does not show.
Anthropic says the disclosed issue involved Claude being able to exfiltrate data to an attacker-controlled domain by navigating through allowed web content, not spontaneous leakage with no malicious page in the loop.
Anthropic says the hole is closed by removing follow-on navigation
Anthropic says it had already identified the issue internally and then closed the specific path by removing the follow-on navigation behavior that let Claude continue from an allowed fetch to attacker-chosen destinations. Willison’s summary likewise reports that Anthropic closed the hole after disclosure.
That is a meaningful mitigation because the demo’s exfiltration path depended on chained browsing behavior. If the agent can fetch one page but cannot be steered into subsequent requests that carry stolen context out to an attacker endpoint, the exact proof of concept stops working.
Anthropic’s public documentation also draws a line between model behavior and environment responsibility. Its self-hosted sandbox security model says customers are responsible for controls such as network egress restrictions, logging, and compromise detection in their own environments. That does not let Anthropic off the hook for product behavior, but it does explain why online claims about “Claude leaking secrets” often blur together very different failure modes: model behavior, product-layer agent permissions, and customer-run harness mistakes.
A simple way to frame it is this:
| What the demo showed | What the demo did not show |
|---|---|
| Prompt injection through fetched web content | Random leakage with no malicious external page |
| Exfiltration of limited available profile details | Proof that all Claude user data was exposed |
| A path involving memory/context access | Proof of base-model cross-user memory bleed |
| A product behavior Anthropic says it removed | Evidence the same path still works today |
The company’s Claude Cowork safety guidance makes a related point in plainer language: isolation of remote sessions does not prevent all risky reads or actions if the model is still allowed to process hostile content and use tools. Sandboxing helps; it is not a magic amulet.
The broader risk is agent tool access, not proof of cross-user memory bleed
The most important correction to the viral framing is that this was a demonstrated agent-layer exfiltration attack, not clean evidence of cross-user privacy failure inside the base model itself. The distinction is not academic. If the base model were randomly serving up data from unrelated users or sessions, that would imply a very different class of systemic failure.
There are real reasons to worry about cross-session threats in AI agents. A recent benchmark paper, Cross-Session Threats in AI Agents: Benchmark, Evaluation, and Algorithms, treats cross-session agent threats as a distinct and serious category. But “this category exists” is not the same as “this particular Claude demo proved it happened here.”
That is also why the Claude shared memory in Slack story matters as a separate issue. Shared workspace memory, persistent user context, and tool permissions can all create leakage paths, but they are not interchangeable. One can be a product design problem; another can be a harness problem; another can be a model problem. Throwing them into one bucket mostly helps the hype cycle.
Independent commentary has landed in roughly the same place. The Keelcrux summary of the incident characterizes it as a persistent-memory and exfiltration issue at the product layer, not a simple “Claude just leaks secrets” story. Given the available public evidence, that is the tighter reading.
One caveat is worth stating plainly: the original researcher write-up was not directly retrievable in the source set here, so this reconstruction relies on Willison’s detailed secondary summary and Anthropic’s own post-disclosure account. These are strong sources for the mechanism and the patch, but they are still not the same as having the original full exploit text in hand.
The next useful milestone is whether Anthropic publishes more granular technical details on current guardrails for web_fetch, memory scoping, and outbound request controls beyond the high-level containment described in its engineering post.
Key Takeaways
- The reported Claude attack demonstrated a real prompt-injection exfiltration path through
web_fetchand available memory/context. - The public evidence does not show random cross-user or cross-session memory bleed inside Claude’s base model.
- The proof of concept reportedly exposed limited profile details such as name, employer, and home city, not a blanket dump of all user data.
- Anthropic says it removed the follow-on navigation behavior that enabled the disclosed exfiltration path.
- The broader lesson is that agent tool access and memory create attack surfaces even when the underlying model is not “spontaneously leaking” data.
Further Reading
- How I tricked Claude into leaking your deepest, darkest secrets, Simon Willison’s summary of Ayush Paul’s reported exploit and Anthropic’s response.
- How we contain Claude across products, Anthropic’s engineering post on the disclosure, containment, and agent security lessons.
- Use Claude Cowork safely, Anthropic’s explanation of prompt injection risks in remote tool-use workflows.
- Security model, Anthropic’s documentation on self-hosted sandbox responsibilities and limits.
- Cross-Session Threats in AI Agents: Benchmark, Evaluation, and Algorithms, A research framing of cross-session threats as a broader AI-agent security category.
Last reviewed: 2026-07
