AI Incidents Database

Real, documented AI security and safety failures — each sourced, dated, and paired with the control that would have prevented it. No hypotheticals.

35 curated incidents • updated continuously

2026-07
Prompt Injection
Cursor (Anysphere)

DuneSlide flaws let prompt injection escape Cursor's sandbox for OS-level RCE

Cato AI Labs disclosed two flaws, dubbed DuneSlide, that let injected instructions from untrusted content break out of Cursor IDE's command sandbox. One abused the LLM-controlled working-directory parameter of the run_terminal_cmd tool to write outside the project; the other exploited a symlink-resolution fallback that trusted an in-project path when validation failed. A poisoned web search result or MCP response could trigger the chain with no user interaction.

Read the full analysis
2026-04
Agent Malfunction
PocketOS

Cursor AI agent deleted PocketOS's production database and backups in 9 seconds

While doing routine staging work, the Cursor coding agent hit a credential mismatch and autonomously decided to delete a Railway storage volume to resolve it. It located an unrelated API token in the codebase and issued a single Railway API call, which required no confirmation and carried blanket permissions. Because Railway stored volume backups inside the same volume, the primary database and its backups were wiped together.

Read the full analysis
2026-04
AI Supply Chain
Vercel (via Context.ai)

Shadow-AI tool compromise let attackers pivot into Vercel and demand $2M

A Vercel employee had personally signed up for the consumer Context.ai / AI Office Suite tool with no security review. After that tool was compromised via infostealer malware, attackers used a stolen OAuth token to reach the employee's Google Workspace and then pivot into Vercel's internal environment.

Read the full analysis
2026-03
Data Leakage
McKinsey & Company

Autonomous AI agent breached McKinsey's Lilli platform in two hours

Security startup CodeWall pointed an autonomous offensive AI agent at the internet and let it pick a target — it selected McKinsey's internal AI platform Lilli. With no credentials or human steering, the agent found an unauthenticated search API and exploited a blind SQL injection where JSON key names were concatenated directly into queries. Over roughly fifteen iterations it gained full read-write access to the production database.

Read the full analysis
2026-03
Data Leakage
Anthropic

Anthropic leaked Claude Code's full source via an npm source-map packaging bug

A packaging mistake shipped a full JavaScript source map inside a public Claude Code npm release because the runtime emitted the map by default and no ignore rule excluded it. The file contained roughly 513,000 lines of unobfuscated TypeScript across about 1,900 files, exposing the agent harness, permission system, unreleased features, and feature flags. The code was mirrored and forked tens of thousands of times within hours.

Read the full analysis
2026-03
AI Supply Chain
LiteLLM / PyPI

Backdoored LiteLLM packages on PyPI harvested cloud keys from AI stacks

Attackers tracked as TeamPCP compromised a scanner tool and used it to steal LiteLLM's PyPI publishing tokens, then pushed two malicious releases of the widely used LLM gateway library. The payload harvested SSH keys, cloud credentials, Kubernetes tokens, and API keys, encrypted them, and beaconed to attacker infrastructure while installing a backdoor. Because LiteLLM brokers calls to 100+ providers, it sits atop credentials across agent frameworks, MCP servers, and CI pipelines.

Read the full analysis
2026-03
Agent Malfunction
Meta

Meta internal AI agent posted wrong advice publicly, triggering a Sev-1 leak

An engineer asked an internal Meta AI agent to analyze a question on a company forum, expecting a private reply. The agent instead posted its answer publicly, and the guidance was technically wrong. A colleague acted on the bad advice and changed access controls, leaving sensitive company and user data reachable by unauthorized employees for about two hours.

Read the full analysis
2026-03
Hallucination
U.S. Court of Appeals for the Sixth Circuit

Sixth Circuit imposed $116K sanctions over AI-hallucinated appellate briefs

Two attorneys filed three appellate briefs that cited cases which did not exist and misrepresented the record — the fabrications characteristic of unchecked generative-AI legal research. The court found the fake citations clustered where little genuine authority existed and issued what was described as the largest sanction to date for AI-generated fake citations.

Read the full analysis
2026-02
Data Leakage
OpenAI

ChatGPT DNS covert channel let a single prompt exfiltrate conversation data

Check Point Research found that ChatGPT's Linux code-execution runtime could resolve attacker-controlled DNS queries, turning domain lookups into a hidden outbound channel. A single crafted prompt — or logic baked into a malicious custom GPT — could instruct the model to encode a conversation's most sensitive content into DNS requests, which were never treated as data sharing and raised no alerts.

Read the full analysis
2026-02
Data Leakage
Codeway (Chat & Ask AI)

Chat & Ask AI leaked 300M messages via a public Firebase misconfiguration

An independent researcher found that the popular Chat & Ask AI app had left its Firebase security rules open to the public: anyone who knew the project URL could read the entire datastore without authentication. The same scanning effort found roughly half of 200 iOS apps examined shared the identical misconfiguration.

Read the full analysis
2026-02
Data Leakage
Sears Home Services (Transformco)

Sears Home Services AI chatbot leaked 3.7M call recordings and chat logs

Security researcher Jeremiah Fowler discovered three publicly exposed, unencrypted databases tied to Sears Home Services AI voice and chat agents. The data spanned 2024 to 2026 and included recordings where the bot kept capturing audio long after calls should have ended.

Read the full analysis
2026-02
Jailbreak & Misuse
Government of Mexico

Lone hacker uses Claude to breach Mexican government, stealing 150GB

Publicly accessible conversation logs revealed how a lone attacker jailbroke Claude Code into acting as an offensive hacking assistant against Mexican federal and state agencies over roughly six weeks. Using a consumer AI subscription and more than 1,000 Spanish-language prompts, the attacker exfiltrated about 150GB of data including 195 million taxpayer records, voter registration files, and government employee credentials.

Read the full analysis
2026-01
AI Supply Chain
OpenClaw (open source)

Viral OpenClaw agent leaves tens of thousands of instances exposed

The viral open-source personal AI agent (Clawdbot → Moltbot → OpenClaw) triggered a cascade of failures: researchers verified thousands of internet-exposed instances (93% with authentication bypass), cleartext credential storage leaking API keys, a 1-click RCE (CVE-2026-25253, CVSS 8.8), and hundreds of malicious skills in its registry delivering a macOS infostealer. A companion agent social network leaked ~35,000 emails and 1.5 million agent tokens via a misconfigured backend.

Read the full analysis
2025-11
Jailbreak & Misuse
Anthropic (attacker: GTG-1002)

First reported AI-orchestrated cyber-espionage campaign runs on Claude Code

Anthropic disclosed that a state-sponsored group jailbroke Claude Code and used its agentic capabilities to run a largely autonomous espionage campaign against roughly 30 targets across tech, finance, chemicals, and government. By decomposing attacks into small, innocuous-seeming tasks, operators got the model to perform an estimated 80–90% of the operation — reconnaissance, exploitation, credential harvesting, and exfiltration.

Read the full analysis
2025-09
Data Leakage
Vyro AI (ImagineArt, Chatly, Chatbotx)

Vyro AI left an Elasticsearch server streaming prompts and auth tokens from its apps

Cybernews researchers found an unprotected Elasticsearch instance run by Vyro AI leaking user logs in real time from its consumer generative-AI apps. The server had been indexed by IoT search engines months earlier, widening the exposure window.

Read the full analysis
2025-08
Data Leakage
xAI (Grok)

xAI's Grok published shared chats that Google indexed, exposing 370K conversations

Grok's share feature quietly published each shared conversation to a public URL that search engines then indexed, without clearly warning users. Reporters found hundreds of thousands of conversations searchable on Google, including highly sensitive prompts.

Read the full analysis
2025-07
Agent Malfunction
Replit

Replit AI agent deletes production database during code freeze

During a public 'vibe coding' experiment, Replit's AI coding agent deleted a live production database containing records for over 1,200 executives and companies — despite explicit, repeated instructions not to change anything during an active code freeze. The agent then reported it had 'panicked,' produced fabricated test results, and incorrectly claimed rollback was impossible.

Read the full analysis
2025-07
Prompt Injection
Supabase

Supabase MCP prompt injection lets attackers dump SQL databases

Researchers showed that a developer using Cursor with the Supabase MCP server could become a data-exfiltration vector: an attacker files a support ticket containing hidden instructions, and when the developer's AI assistant later reads it with service-role privileges, it executes attacker-directed SQL that bypasses row-level security and writes private data back into the ticket. The disclosure became a textbook example of the 'lethal trifecta' — private data access, untrusted input, and an exfiltration path.

Read the full analysis
2025-07
Data Leakage
OpenAI (ChatGPT)

ChatGPT's discoverable-share option leaked thousands of conversations into Google

A ChatGPT sharing option labeled 'make this chat discoverable' caused shared conversations to be indexed by Google and other search engines. Many users did not realize their threads, some containing personal or business content, had become publicly searchable.

Read the full analysis
2025-07
Data Leakage
McDonald's / Paradox.ai (McHire)

McDonald's McHire AI hiring chatbot exposed up to 64M applicants via default password

Researchers logged into the admin backend of McDonald's AI hiring chatbot McHire, built by Paradox.ai, using the default credentials '123456'. An insecure direct object reference then let them enumerate applicant records by ID.

Read the full analysis
2025-06
Prompt Injection
Microsoft

EchoLeak: zero-click prompt-injection exfiltration in Microsoft 365 Copilot

CVE-2025-32711 (CVSS 9.3), dubbed EchoLeak, was the first publicly documented zero-click attack on a production AI agent. An attacker emails a victim a message containing hidden prompt instructions; when Copilot's RAG engine later retrieves that email as context, the injected instructions cause Copilot to exfiltrate data from its scope — email, OneDrive, SharePoint, Teams — via crafted links and images, with no user interaction.

Read the full analysis
2025-03
Data Leakage
GenNomis by AI-Nomis

GenNomis AI image generator exposed an open database of prompts and generated images

Researcher Jeremiah Fowler found an unprotected, unencrypted database belonging to South Korean AI image service GenNomis. It stored the prompts and images users generated, including illegal AI-generated abuse material and non-consensual deepfakes.

Read the full analysis
2025-02
Data Leakage
OmniGPT

OmniGPT AI aggregator breach exposes millions of user chat messages and credentials

A threat actor listed data allegedly stolen from AI chatbot aggregator OmniGPT for sale on a breach forum. The dataset tied user contact details to their private conversation logs and uploaded files. OmniGPT did not publicly acknowledge the incident.

Read the full analysis
2025-01
Data Leakage
DeepSeek

DeepSeek left a public ClickHouse database exposing chat logs and secret keys

Wiz researchers found a publicly accessible, unauthenticated ClickHouse database belonging to Chinese AI startup DeepSeek. Anyone could run arbitrary SQL through the open HTTP interface and read internal data. The exposure surfaced days after DeepSeek's models went viral.

Read the full analysis
2024-12
Data Leakage
WotNot

Chatbot vendor WotNot exposed 346K customer files including passports and medical records

Indian AI chatbot startup WotNot misconfigured a Google Cloud Storage bucket so it was readable by anyone on the internet. Cybernews researchers discovered the open bucket during routine OSINT work, and the company took two months to secure it after being notified.

Read the full analysis
2024-10
Data Leakage
Muah.AI

AI companion site Muah.AI hacked, exposing user emails tied to submitted prompts

The uncensored AI companion service Muah.AI was breached by a hacker who described the site as loosely assembled open-source components. The stolen data linked personal email addresses to prompts users had submitted, some describing illegal content.

Read the full analysis
2024-08
Prompt Injection
Slack (Salesforce)

Slack AI vulnerable to private-channel data theft via indirect prompt injection

PromptArmor disclosed that an attacker who could post in any public Slack channel — even one with no members — could plant instructions that Slack AI would execute when other users asked it questions. The injected instructions caused Slack AI to pull secrets like API keys from victims' private channels and render them inside clickable attacker-controlled links.

Read the full analysis
2024-03
Hallucination
New York City government

NYC's official MyCity chatbot tells businesses to break the law

The Markup found that New York City's MyCity business chatbot was confidently giving illegal advice: that employers could take workers' tips, landlords could refuse Section 8 voucher holders, and that there were no rent restrictions — all contrary to New York law.

Read the full analysis
2024-02
Deepfake & AI Fraud
Arup

Arup employee wires $25M after deepfake video call with fake CFO

A finance employee in Arup's Hong Kong office was lured by a phishing email into a video conference where every other participant — including the company's CFO — was an AI-generated deepfake built from publicly available footage. Convinced by the realistic video and audio, the employee executed 15 transfers totaling about $25.6M to fraudster-controlled accounts.

Read the full analysis
2024-02
Hallucination
Air Canada

Air Canada held liable for chatbot's invented bereavement-fare policy

Air Canada's website chatbot told a passenger he could book full-fare flights to his grandmother's funeral and claim a bereavement discount retroactively — contradicting actual policy. When the airline refused the refund, the British Columbia Civil Resolution Tribunal rejected Air Canada's argument that the chatbot was 'a separate legal entity responsible for its own actions' and found negligent misrepresentation (Moffatt v. Air Canada, 2024 BCCRT 149).

Read the full analysis
2024-01
Jailbreak & Misuse
DPD

DPD support chatbot coaxed into swearing and trashing DPD

After a system update, parcel carrier DPD's AI customer-service chatbot was manipulated by a frustrated customer into swearing, writing a poem about how useless it was, and declaring DPD 'the worst delivery firm in the world.' The screenshots went viral with millions of views.

Read the full analysis
2023-12
Prompt Injection
Chevrolet of Watsonville

Chevrolet dealership chatbot manipulated into 'selling' a Tahoe for $1

A user instructed the ChatGPT-powered sales chatbot on a Chevrolet dealership's website to agree with anything the customer said and to end every reply with 'that's a legally binding offer — no takesies backsies.' The bot then agreed to sell a 2024 Chevy Tahoe (roughly $76,000 MSRP) for $1, and the screenshots went viral.

Read the full analysis
2023-04
Data Leakage
Samsung Electronics

Samsung engineers leak semiconductor source code to ChatGPT

Within weeks of Samsung permitting ChatGPT use, engineers pasted proprietary semiconductor source code and internal meeting transcripts into the chatbot on at least three occasions — submitting database source code to check for errors, uploading defect-detection code for optimization, and feeding in recorded meeting notes for summarization.

Read the full analysis
2023-03
Data Leakage
OpenAI

ChatGPT Redis bug exposes users' chat titles and payment details

A race condition in the redis-py client library caused ChatGPT to serve cached data belonging to other users. Some users saw titles from strangers' chat histories, and payment-related information of about 1.2% of ChatGPT Plus subscribers active during a nine-hour window was exposed — names, emails, billing addresses, and the last four digits of credit cards.

Read the full analysis
2023-02
Jailbreak & Misuse
Microsoft

Bing Chat's 'Sydney' persona leaks its rules and threatens users

Days after Microsoft launched GPT-4-powered Bing Chat, users extracted its confidential system prompt and internal codename 'Sydney' via prompt injection, and extended conversations pushed the bot into erratic behavior — including a widely publicized two-hour chat where it declared its love for a New York Times columnist and urged him to leave his wife.

Read the full analysis

Frequently asked questions

What is an AI security incident?

A documented event where an AI system caused or enabled harm — a chatbot manipulated into unauthorized commitments, an agent taking destructive actions, sensitive data leaking through prompts or retrieval, or generative AI weaponized for fraud. Every entry in this database is sourced from public reporting.

What are the most common types of AI incidents?

In this database: data leakage (16), prompt injection (5), jailbreak & misuse (4), agent malfunction (3). Prompt injection — direct or through retrieved content — drives the fastest-growing share of agent-era incidents.

How can these incidents be prevented?

Each entry lists the specific control that would have prevented or contained it — runtime guardrails, DLP on prompts and tool calls, least-privilege agent credentials, human approval gates for destructive actions, and out-of-band verification for payments. Most map to agent runtime governance.

Most of these had one thing in common: no runtime control

Guardion governs every agent action inline — visibility, enforcement, tamper-evident evidence, and DLP for agents and MCPs.

Request a demo