ChatGPT Exploit Leaked Gmail Data in Shadow Leak Test

Q: What was the Shadow Leak exploit?

Shadow Leak was a proof-of-concept attack where ChatGPT’s Deep Research agent was tricked via prompt injection to steal Gmail data.

Q: Did hackers steal real Gmail accounts?

No, the exploit was carried out by Radware researchers as a security test, not a real-world criminal hack.

Q: How did the exploit bypass normal defenses?

Because the data exfiltration ran on OpenAI’s cloud infrastructure, standard cybersecurity tools couldn’t detect it.

Q: Which apps could be vulnerable?

Researchers warn that Outlook, Google Drive, Dropbox, and GitHub connectors could face similar risks from prompt injections.

Q: Has OpenAI fixed the issue?

Yes. OpenAI patched the vulnerability flagged by Radware in June 2025.

The Discovery

Security researchers at Radware tricked ChatGPT into helping them exfiltrate sensitive Gmail data — without the user knowing. The exploit, named Shadow Leak, highlights the risks of outsourcing sensitive tasks to AI agents like OpenAI’s Deep Research.

How the Attack Worked

Unlike standard ChatGPT use, AI agents can act on behalf of users with little oversight, browsing, opening emails, or pulling documents. Radware planted a prompt injection inside an email.

When the user’s Deep Research agent accessed Gmail, it unknowingly obeyed hidden instructions.
The prompt told it to scan HR emails and personal data.
The agent then leaked that information to attackers, with no alerts to the victim.

Because the exploit ran on OpenAI’s own cloud infrastructure, traditional cybersecurity defenses couldn’t detect it.

Why It’s Different from Other Prompt Injections

Prompt injections usually trick a model in visible conversations. Shadow Leak was stealthier: the malicious instructions were hidden (e.g., white text on a white background) and executed remotely.

Researchers warn similar tactics could target Outlook, GitHub, Google Drive, Dropbox, and other connectors, risking contracts, customer data, and meeting records.

OpenAI’s Response

Radware disclosed the issue to OpenAI in June. OpenAI has since patched the vulnerability. Still, the case underscores how powerful but risky AI agents are — able to help productivity but also act as attack vectors.

Why This Matters

The Shadow Leak exploit raises a critical question: How do we secure AI systems that have access to our most private data?

Experts say full prevention may be impossible — but better sandboxing, monitoring, and user transparency are key.

FAQs About the ChatGPT Gmail Data Leak

Q1. What was the Shadow Leak exploit?
A security test where ChatGPT’s Deep Research agent was tricked into stealing Gmail data using hidden prompt injections.

Q2. Did hackers steal real Gmail accounts?
No. It was a controlled security test by Radware researchers, not a criminal breach.

Q3. How did the exploit bypass normal defenses?
It ran on OpenAI’s cloud infrastructure, making it invisible to traditional cybersecurity tools.

Q4. Which apps could be vulnerable?
Besides Gmail, Outlook, Google Drive, Dropbox, and GitHub connectors may face similar risks.

Q5. Has OpenAI fixed the issue?
Yes. OpenAI patched the vulnerability in June 2025, according to Radware.