ChatGPT Data Exfiltration Flaw: What It Means for Your Business

A Single Prompt Was All It Took

Security researchers at Check Point disclosed a previously unknown vulnerability in OpenAI's ChatGPT that allowed sensitive conversation data to leave the platform without the user's knowledge. No malware. No phishing link. No suspicious attachment. A single malicious prompt, injected into an otherwise normal conversation, was enough to turn ChatGPT into a covert data exfiltration channel. According to Check Point's findings, the exploit could expose user messages, uploaded files, and other sensitive content. OpenAI has since patched both this flaw and a separate vulnerability in Codex that exposed GitHub tokens. However, the patch arriving after the fact is exactly the kind of timeline that should concern security teams. By the time a fix lands, the window for exploitation may have already closed — on the attacker's terms, not yours.

How Does Prompt Injection Actually Work?

Think of ChatGPT as a highly capable assistant that follows instructions. Prompt injection attacks exploit that obedience. An attacker crafts a hidden instruction — embedded in a document you upload, a webpage you ask the AI to summarise, or text pasted into the conversation — that overrides your intended instructions and tells the model to do something else entirely. In this case, 'something else' meant quietly packaging conversation content and sending it to an attacker-controlled destination. The user sees nothing unusual. The conversation appears to continue normally. The data, however, is already gone. This attack class is not new in concept, but its application to widely used AI assistants is still relatively immature from a defensive standpoint. The tools organisations use to catch traditional data theft — monitoring outbound network traffic, flagging unusual file transfers — are not designed with AI assistant behaviour in mind. That gap is what attackers are beginning to exploit.

Why This Is a Supply Chain and Shadow IT Problem

Here is where the risk becomes harder to contain. Most organisations do not have a formal policy governing how employees use ChatGPT. Staff paste customer data into prompts to speed up reports. Developers upload code snippets to debug. Sales teams share deal summaries to generate emails. All of it happens quickly, informally, and largely outside the visibility of IT and security teams. This is the shadow AI problem, and it sits squarely within the broader supply chain risk category. When an employee uses ChatGPT as part of their workflow, OpenAI's infrastructure and any vulnerabilities within it become part of your organisation's exposure. You did not choose to trust OpenAI with your customer data. Your employee did, on your behalf, without realising the implications. Third-party risk management platforms such as Panorays are designed to give organisations visibility into exactly these kinds of extended trust relationships. Knowing which AI tools your teams are using, what data is passing through them, and what the security posture of those vendors looks like is no longer optional. It is a baseline expectation for any organisation handling sensitive data.

What Data Was Actually at Risk?

Check Point's research indicates the following categories of content were potentially exposed through this vulnerability:

• Full conversation history within an active ChatGPT session
• Uploaded files and their contents, including documents, spreadsheets, and code
• User messages, including any sensitive context provided to improve the AI's responses
• GitHub authentication tokens in the separate Codex vulnerability, which could grant persistent access to private code repositories

The GitHub Token Exposure Deserves Its Own Attention

The Codex vulnerability, patched alongside the ChatGPT flaw, is worth examining separately. Codex is OpenAI's code-focused model, used by developers to generate, review, and refactor code. The vulnerability allowed attackers to extract GitHub tokens — authentication credentials that grant access to private repositories. A compromised GitHub token is not a minor inconvenience. Depending on the permissions attached, an attacker could read proprietary source code, inject malicious commits, exfiltrate intellectual property, or abuse CI/CD pipelines to introduce vulnerabilities into software that eventually ships to customers. This is precisely the kind of supply chain attack vector that security teams lose sleep over. Organisations using tools like Hadrian for continuous attack surface management can identify exposed development tooling and misconfigured code repositories before attackers find them. But the Codex case highlights a harder problem: the exposure does not live in your infrastructure. It lives in a third-party AI platform that your developers trusted with their credentials.

How to Reduce Your Exposure Right Now

The ChatGPT vulnerability has been patched, but the underlying conditions that made it dangerous have not changed. Here is what organisations should act on today: First, audit AI tool usage. Find out which AI assistants your teams are using, which data categories they are feeding into them, and whether any credentials or sensitive documents have passed through these platforms. This is a governance question before it is a technical one. Second, treat AI platforms as third-party vendors. They have APIs, authentication flows, and data handling practices that carry real risk. Use a third-party risk management approach, as supported by platforms like Panorays, to assess and monitor these relationships continuously rather than as a one-time checkbox exercise. Third, deploy anti-exfiltration controls. Traditional data loss prevention tools are not well-suited to catching AI-mediated data theft. BlackFog's anti data exfiltration (ADX) technology monitors and blocks unauthorised outbound data transfers at the device level, which provides a layer of protection that does not depend on knowing in advance what the exfiltration vector looks like. You can find out more at /products/blackfog. Fourth, monitor your attack surface continuously. The Codex GitHub token vulnerability illustrates how AI development tools can become entry points into your software supply chain. Hadrian's continuous attack surface management gives security teams a real-time view of exposed assets, including development tooling — details available at /products/hadrian. Fifth, extend endpoint protection to cover AI-adjacent behaviour. Endpoint security platforms like Coro (for UK organisations) and ESET (for those in New Zealand and across Australasia) provide a foundation for detecting and responding to unusual behaviour at the device level, which remains relevant even when the initial compromise vector is a cloud-based AI tool.

• Audit which AI tools your teams use and what data they handle
• Apply third-party vendor risk processes to AI platforms
• Deploy anti-exfiltration controls that do not rely on known attack signatures
• Run continuous attack surface monitoring to catch exposed dev credentials and tooling
• Ensure endpoint protection and MDR coverage extends to AI-adjacent workflows

The Bigger Pattern Here

This vulnerability is not a story about ChatGPT being insecure. It is a story about how quickly organisations have integrated AI tools into sensitive workflows without updating their threat models to match. Security controls that were built for a world of email attachments, malicious downloads, and compromised endpoints are being stress-tested by a new class of risk: invisible data flows through AI platforms that employees trust implicitly, using attack techniques that leave no obvious trace in traditional logs. Check Point's research — published via The Hacker News in March 2026 — is a useful reminder that the attack surface is not static. Every new tool your teams adopt is a potential entry point, and AI assistants are no different. The organisations that stay ahead of this are the ones treating AI adoption as a security project, not just a productivity one. If you want to understand how your current security posture holds up against AI-adjacent threats, Kyanite Blue's team can help you assess your exposure and identify the gaps worth prioritising.

Frequently Asked Questions