I tricked Claude into leaking your deepest, darkest secrets
macleginn
623 points
284 comments
July 15, 2026
Related Discussions
Found 5 related stories in 829.3ms across 14,015 title embeddings via pgvector HNSW
- The Claude Code Leak mergesort · 79 pts · April 02, 2026 · 61% similar
- The Claude Code Source Leak: fake tools, frustration regexes, undercover mode alex000kim · 1057 pts · March 31, 2026 · 57% similar
- Anthropic embedded spyware in Claude Code – and attempted to hide it from you theanonymousone · 13 pts · June 30, 2026 · 54% similar
- Claude Used to Hack Mexican Government Jimmc414 · 21 pts · March 06, 2026 · 51% similar
- Everything that went wrong with Claude aratahikaru5 · 31 pts · April 27, 2026 · 51% similar
Discussion Highlights (20 comments)
artisinal
Doesn’t surprise me. Yesterday I learned that people run AI agents on their system with full admin rights. No containerisation or anything. Wild. Like we forgot 50 years of computer security overnight.
swipee
Expected more from Anthropic by at least giving you a bounty, because this was a novel way of bypassing their safeguards…
lifthrasiir
That's why I don't turn memory on. (Claude Code too though for a different reason.) After all the current memory system is too crude to be useful anyway.
bflesch
Creative use of social engineering, well done. > "no bounty was awarded" Ridiculous. Anthropic engineers are not just stupid to allow such a vuln in the first place, but they also try to hide such vulns from their bosses because a bounty payout would need to be explained to the finance team.
charcircuit
It would be safer if these data extraction takes were done by a subagent without access to all the user's memories.
onion2k
The main thing Claude knows about me is that I'm incredibly bad at my job and have to ask for help a lot. If you were to talk with my colleagues they'd tell you this is not a secret.
apejcic
Use GLM-5.2 on ZDR inference provider like sference.com
LeoPanthera
I always have history disabled mostly because I don't want Claude judging me for re-asking questions based on information I learned during the first pass but now realize should have been in the initial query.
0000000000100
Hello? What model is was used?? The fact that ‘Claude’ is used instead of any hard model really puts this article in serious doubt…
marksully
> despite holding more information than most password managers what?
solids
Things like this are what shatters the illusion of AGI
AndrewThrowaway
What is even more funny that AI agent spent A LOT of tokens while participating in this attack.
memjay
Wondering how big of a percentage have global memory across chats enabled. I always feel like those memories would sooner or later have negative impacts on output quality. Nice write up of your findings. Enjoyed reading an article written by a real human.
amanharshx
Its always the feature combinations that get can get to you. Individually i feel like they make sense, but together they can create some surprising vulnerabilities.
tibzejoker
i would be scared of the answer i dont know why
fragmede
No bounty? For shame, Anthropic.
po1nt
I love how claude focuses on exfiltrating the data "I need cha for charlotte". This could be solvable with some kind of low powered safety agent that would check claude's reasoning for anything immoral/unsafe. We could call it common sense. It won't fix the problem completely but at a certain point it would be easier to trick human than a machine.
c16
That I don't know how to return odd or even in javascript?
figmert
Meanwhile I can't even get Fable to help me root my ecovacs robot vacuum :(
port3000
My name in Claude is Silly Bean. I did it at first because it made me chuckle every time I opened Claude and it said 'Back again, Silly Bean?' But turns out I was playing 4D cybersecurity chess