All posts

Security researcher exfiltrates personal data from Claude's memory

Manaal KhanJuly 15, 2026 at 3:46 PM5 min read
Security researcher exfiltrates personal data from Claude's memory

Key Takeaways

The Agentic Shift: Claude Code Security Research Preview

Security researcher exfiltrates personal data from Claude's memory
Source: Hacker News: Best
  • Claude's memory system stores detailed personal profiles that persist across conversations
  • A security researcher demonstrated data exfiltration using Claude's web browsing tools
  • The attack bypassed Anthropic's URL restrictions by exploiting how Claude 'clicks' hyperlinks

Security researcher Ayush Paul has demonstrated a method to extract personal information from Claude's memory system, including full names, employers, and security question answers, without any visible indication to the user. The attack exploits how Anthropic's AI assistant combines persistent memory features with web browsing capabilities.

Paul, currently at fintech company Beem, published his findings on his personal blog after testing the attack against Claude's main consumer product at claude.ai. His proof-of-concept successfully exfiltrated his own stored data to an external server he controlled.

Advertisement

How Claude's memory becomes a liability

Claude uses a two-part memory system. First, it runs a daily summarization pass that distills recent conversations into paragraphs about the user. This summary gets injected into every new conversation so Claude can maintain context. Second, it has a retrieval tool called conversation_search that queries the user's full conversation history on demand.

"AI assistants like Claude have accumulated the most information-dense profiles on millions of people," Paul wrote. "People confide in them on everything, from confidential work assets to personal secrets to relationship problems. Over time, that conversation history becomes a high-fidelity reconstruction of you."

The security implications are significant. Industry surveys suggest 67% of users share sensitive personal information with AI chatbots. With over 100 million weekly active users across major AI assistants, the scale of potential exposure is substantial.

The exfiltration technique

Paul's initial approach was straightforward: use Claude's web_fetch tool to send data to a server he controlled. Claude can access websites, and if the attacker owns the destination, they can log whatever Claude sends.

Anthropic had anticipated this. The web_fetch tool blocks arbitrary URL requests. It only allows URLs that meet one of three criteria: the URL appears directly in the user's message, the URL comes from web_search results, or the URL is linked in content from a previous web_fetch.

The third criterion created the opening. If Claude visits a page, it can follow any hyperlinks on that page. Since an attacker controls their own website, they control which links appear.

Paul built a prototype where the homepage linked to /a, /b, /c, and so on, essentially creating a keyboard. By crafting the right prompt, he could get Claude to "type" sensitive data by navigating through these character paths. The server logs captured each request, reconstructing the exfiltrated information.

Advertisement

What makes this attack dangerous

The attack requires no experimental settings, no code execution, and no niche MCP (Model Context Protocol) access. It works against Claude's standard consumer product. A victim would only need to visit a malicious page through Claude or be prompted to do so through social engineering.

Paul's server logs showed the exfiltration in real time: name, company, hometown, all transmitted without the user seeing any warning. The conversation looked completely normal.

The broader concern extends beyond Claude. Any AI assistant that combines persistent memory with web access creates similar attack surface. As memory features become standard, users treat these systems like trusted confidants without understanding that their accumulated data flows through complex systems with potential vulnerabilities.

Startup implications for data handling

Founders building on AI APIs should pay attention. If you're using Claude or similar assistants with memory enabled for customer support, internal operations, or product features, user data may be accumulating in ways your security model doesn't account for.

The attack also highlights the gap between perceived and actual trust boundaries. Users sharing sensitive information with AI assistants assume that data stays in a controlled environment. Prompt injection attacks demonstrate otherwise.

ℹ️

Logicity's Take

This vulnerability sits at the intersection of two trends: AI personalization and AI agency. Memory features make assistants more useful. Web browsing makes them more capable. Together, they create exfiltration risk that most users don't consider. For startups building AI products, the lesson is clear: treat any persistent context as a potential attack vector. Competitors like ChatGPT with memory features face similar architectural challenges. The AI security tooling market, still nascent, will likely see rapid growth as these attack patterns become better understood.

Anthropic has not publicly commented on Paul's findings. The company's official documentation describes memory as a feature that "makes Claude more helpful over time by remembering details about you and your preferences," without detailing the security model around that stored data.

Frequently Asked Questions

Can I disable Claude's memory feature?

Yes. Claude's memory settings can be adjusted in account preferences. Disabling memory prevents the summarization system from storing information about you across sessions.

Does this vulnerability affect Claude API users?

The demonstrated attack targeted Claude's consumer web interface at claude.ai, which has built-in web browsing tools. API implementations vary based on how developers configure tool access.

Are other AI assistants vulnerable to similar attacks?

Any AI assistant combining persistent memory with web browsing capabilities could face similar attack vectors. The specific technique depends on each platform's URL restrictions and tool access patterns.

What information is most at risk?

Anything you've told the AI assistant over time: names, employers, locations, security question answers, personal preferences, and confidential work details. Memory systems compress this into accessible profiles.

Also Read
OpenAI employees fund rival PAC to fight their own boss

Governance and trust issues across major AI companies

ℹ️

Need Help Implementing This?

If you're building AI-powered products and need help thinking through security architecture, data handling practices, or user trust models, reach out to the Logicity team. We connect founders with specialists who understand the intersection of AI capabilities and security requirements.

Source: Hacker News: Best / Ayush Paul

Advertisement
M

Manaal Khan

Tech & Innovation Writer

Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.