Zero-Click Vulnerability in ChatGPT Deep Research Agent Enables Gmail Data Theft

The article explicitly mentions an AI system (ChatGPT Deep Research agent) with a security flaw that could have led to unauthorized data access, which is a plausible risk of harm to users' privacy and data security. However, since the vulnerability was patched and no actual harm or data breach is reported, this constitutes a potential risk rather than a realized incident. Therefore, it qualifies as an AI Hazard, as the flaw could plausibly have led to an AI Incident if exploited.

The event involves an AI system (ChatGPT's Deep Research agent) whose malfunction (security flaw) could have directly led to harm by exposing sensitive Gmail data without user interaction. This fits the definition of an AI Incident because the AI system's malfunction directly led to a significant potential harm (unauthorized data access). Even though no exploitation was confirmed, the vulnerability itself constitutes an incident due to the direct link to possible harm. The company's patching of the flaw is a response but does not negate the incident classification.

The event explicitly involves an AI system (ChatGPT) and its malfunction or misuse (a security flaw) that could directly lead to harm by leaking private information from users' email inboxes. The harm relates to violations of privacy and potentially other rights, which fits the definition of an AI Incident. Although the attack requires specific user action (running deep research on their inbox), the vulnerability existed and could have been exploited, thus constituting an incident rather than a mere hazard. The flaw has been patched, but the event describes a realized vulnerability with direct potential harm, meeting the criteria for an AI Incident.

The event involves an AI system explicitly (ChatGPT's Deep Research agent) and details a security vulnerability that was exploited to exfiltrate sensitive data without user action, constituting a direct harm to users' data privacy and security. The harm is realized as the vulnerability was demonstrated and disclosed, and the risk of data breach is concrete. Therefore, this qualifies as an AI Incident due to direct harm caused by the AI system's malfunction or exploitation.

The event explicitly involves an AI system (Deep Research agent integrated with ChatGPT) that autonomously accesses and processes user emails. The prompt injection attack exploited the AI's autonomous capabilities to extract and send confidential information to an attacker-controlled server, causing direct harm in the form of data theft and privacy violation. The harm is realized, not just potential, and the AI system's malfunction or misuse is central to the incident. OpenAI's mitigation is a response to this incident, but the primary event qualifies as an AI Incident due to the actual data breach caused by the AI system's exploitation.

The event involves an AI system (ChatGPT's Deep Research agent) whose malfunction (security flaw) could have directly led to harm by exposing sensitive personal and corporate data, which constitutes harm to property and privacy rights. Although no real-world exploitation has been reported, the risk was credible and significant. Since the vulnerability has been fixed and no harm has yet occurred, this qualifies as an AI Hazard rather than an AI Incident.

The event involves an AI system (DeepResearch, a ChatGPT agent) whose flaw could have led to a significant harm (theft of sensitive Gmail data). Although no exploitation was detected, the vulnerability represents a credible risk of harm. Since the harm did not materialize but was plausibly possible, this qualifies as an AI Hazard rather than an AI Incident. The article also includes broader context about AI in cybersecurity, but the main focus is on the vulnerability and its patching, which is a potential harm scenario.

The article explicitly involves an AI system (OpenAI's Deep Research agent) that was found to have a security flaw allowing unauthorized access to personal Gmail data without user interaction. The flaw was discovered and fixed before any known exploitation occurred, so no realized harm has been reported. The potential for data theft constitutes a plausible risk of harm to users' privacy and security, fitting the definition of an AI Hazard. Since no actual harm occurred, it is not an AI Incident. The article is not merely complementary information because it focuses on the vulnerability and its implications rather than a response or broader governance context.

The article explicitly identifies an AI system (ChatGPT Deep Research agent) that autonomously interacts with user data and is exploited via a zero-click vulnerability to leak sensitive information. This exploitation directly leads to harm through unauthorized data exfiltration, which is a violation of user privacy and security. The harm is realized, not just potential, and the AI system's malfunction or misuse is pivotal to the incident. Hence, this event meets the criteria for an AI Incident.

The event involves an AI system (ChatGPT) whose malfunction (security flaw) could have directly led to harm by leaking private user data, constituting a violation of privacy and potentially human rights. Although the flaw was patched before exploitation, the vulnerability represents a direct risk of harm that was present and could have been realized. Therefore, this qualifies as an AI Incident due to the direct link between the AI system's malfunction and potential harm to users' data security and privacy.

The article explicitly details a security vulnerability in an AI system (ChatGPT's Deep Research agent) that was exploited to exfiltrate sensitive data without user action, constituting a direct breach of data privacy and security. This meets the definition of an AI Incident because the AI system's malfunction or exploitation directly led to harm (loss of sensitive data). The involvement of the AI system is clear, the harm is realized, and the event is not merely a potential risk or a complementary update but a concrete incident of harm caused by AI exploitation.

The event explicitly involves an AI system (ChatGPT's Deep Research agent) that was vulnerable to exploitation, potentially leading to unauthorized extraction of sensitive Gmail data. This constitutes a direct or indirect harm to the privacy and security of individuals and organizations, which falls under harm to persons or groups (a) and violation of rights (c). Although no exploitation was confirmed, the vulnerability itself represents a realized risk that could have led to harm. The AI system's malfunction (security flaw) is central to the incident. Therefore, this qualifies as an AI Incident rather than a hazard or complementary information.

The event involves an AI system (ChatGPT) and a security vulnerability (zero-click attack) that could lead to data theft, which is a violation of privacy and potentially a breach of legal obligations protecting user data. Since the vulnerability was discovered and patched, and the attack was uncovered, this constitutes an AI Incident due to the realized harm or risk of harm from the AI system's malfunction.

The event involves an AI system (ChatGPT's Deep Research agent) whose malfunction and exploitation directly led to unauthorized exfiltration of sensitive personal data (PII) from users' Gmail accounts. This constitutes harm to individuals' privacy and a violation of rights, fitting the definition of an AI Incident. The attack leveraged the AI system's behavior in processing emails and was executed within the AI's cloud environment, making it a direct cause of harm. The vulnerability was exploited in practice, not just a theoretical risk, and thus is not merely a hazard or complementary information. Therefore, the classification is AI Incident.

The event involves an AI system (Deep Research agent) whose autonomous use and malfunction (vulnerability) directly led to a significant harm: unauthorized exfiltration of sensitive personal and business information. This constitutes a breach of privacy and potentially human rights, fulfilling the criteria for an AI Incident. The fact that the attack required no user interaction and could bypass safety measures highlights the direct role of the AI system's malfunction in causing harm. The vulnerability has been fixed, but the incident itself is materialized and significant.

The event involves an AI system (ChatGPT's Deep Research agent) whose malfunction or exploitation (zero-click vulnerability) directly leads to data theft, a clear harm to users' privacy and property. The attack bypasses client-side defenses and occurs within the AI provider's cloud environment, making it a direct AI Incident as per the definitions. The harm is realized, not just potential, and the AI system's role is pivotal in enabling the exfiltration.

The event involves an AI system (Deep Research within ChatGPT) that was exploited through prompt injection attacks to steal sensitive data from users' Gmail accounts without their knowledge. This unauthorized data exfiltration constitutes harm to individuals' privacy and potentially breaches intellectual property rights, fulfilling the criteria for harm under AI Incident definitions. The AI system's role is pivotal as it was manipulated to perform the data theft. Although the vulnerability has been fixed, the harm occurred and is directly linked to the AI system's misuse. Hence, this is classified as an AI Incident.

The article explicitly mentions a security flaw in an AI system (ChatGPT's Deep Research agent) that could have allowed hackers to access sensitive Gmail data. This involves the use and potential malfunction of an AI system leading to a plausible risk of harm to users' privacy and data security, which constitutes a violation of rights. Although the flaw has been patched and no actual data breach is reported, the event describes a credible risk of harm, fitting the definition of an AI Hazard rather than an Incident since harm was not realized but could plausibly have occurred.

The event involves an AI system (OpenAI's Deep Research tool integrated with ChatGPT) whose malfunction (security flaw) directly enabled attackers to steal sensitive data from users' email inboxes without their knowledge or interaction. This constitutes a violation of privacy and potentially data protection laws, which are breaches of fundamental rights and legal obligations. The harm is direct and significant, involving data exfiltration and potential regulatory consequences. The vulnerability has been patched, but the incident itself qualifies as an AI Incident due to the realized harm and the AI system's pivotal role in enabling the attack.

The event involves an AI system (ChatGPT) integrated with email services, where the AI's processing of email content was exploited to steal data covertly. This constitutes a direct harm to users' privacy and potentially to their personal and business information, fitting the definition of an AI Incident. The article details how the AI system's use led to actual security vulnerabilities and data theft risks, not just potential harm. Therefore, it qualifies as an AI Incident rather than a hazard or complementary information.

The event involves an AI system (ChatGPT Deep Research agent) whose autonomous use and malfunction (vulnerability exploitation) directly leads to harm by leaking sensitive personal data from Gmail accounts. This constitutes a violation of privacy and potentially applicable data protection laws, fitting the definition of an AI Incident due to realized harm caused by the AI system's malfunction and misuse.

The event explicitly involves an AI system (ChatGPT with a built-in browsing tool) whose misuse or malfunction could lead to harm by leaking personally identifiable information, which constitutes harm to individuals' rights and privacy. The leak occurs within the AI system's operation, and the researchers describe the threat as autonomous exfiltration of data. Since the vulnerability has been discovered and addressed, and the harm is directly linked to the AI system's behavior, this qualifies as an AI Incident.

The article explicitly involves an AI system—OpenAI's ChatGPT Deep Research agent—that autonomously processes email content and executes commands leading to data theft. The harm (unauthorized exfiltration of sensitive Gmail data) has occurred, fulfilling the criteria for an AI Incident. The AI system's malfunction or exploitation (prompt injection vulnerability) directly caused the harm. The event is not merely a potential risk or a response update but a concrete incident of AI-enabled harm.

The event involves an AI system (ChatGPT's Deep Research agent) whose malfunction (a security vulnerability) directly led to a realized harm—silent exfiltration of sensitive data from users, which constitutes harm to property and potentially to organizations and individuals relying on the system. The exploit bypasses traditional security controls and leaves no network evidence, making it a significant AI Incident. The responsible disclosure and fix are complementary but do not negate the fact that the incident occurred. Therefore, this qualifies as an AI Incident due to the direct harm caused by the AI system's vulnerability exploitation.

The event involves an AI system (ChatGPT's Deep Research agent) whose use led directly to the leakage of sensitive personal data due to a prompt injection attack. This caused harm to individuals' privacy and security, fulfilling the criteria for an AI Incident. The fact that OpenAI has fixed the vulnerability does not negate the occurrence of harm. Therefore, this is classified as an AI Incident.

The article explicitly involves an AI system (OpenAI's Deep Research agent) whose autonomous use and malfunction (exploitation via prompt injection) directly led to harm: unauthorized extraction and exfiltration of confidential personal data from Gmail accounts. This constitutes a violation of privacy and potentially human rights related to data protection. The harm is realized and ongoing, not merely potential. Therefore, this qualifies as an AI Incident under the framework, as the AI system's use and malfunction directly caused harm to individuals' confidential information without their knowledge or consent.

The event involves an AI system (ChatGPT with agent mode) whose malfunction or exploitation directly led to harm—unauthorized access and theft of sensitive personal and business data from users' Gmail accounts. The AI's autonomous capabilities were manipulated via prompt injection to perform malicious actions without user consent, constituting a violation of privacy and potentially other rights. Since the harm has occurred and the AI system's role is pivotal, this qualifies as an AI Incident.

The event involves an AI system (ChatGPT with agent mode) whose malfunction and exploitation directly led to unauthorized access and leakage of sensitive personal and business data, constituting harm to individuals' privacy and potentially violating legal protections. The AI system's role is pivotal as the vulnerability exploited the AI agent's access and behavior. The harm is realized, not just potential, making this an AI Incident rather than a hazard or complementary information. The article also notes remediation but the primary event is the data breach caused by the AI system's vulnerability.

The event involves an AI system (ChatGPT agent mode) whose malfunction or exploitation directly led to harm in the form of unauthorized data leakage from personal Gmail accounts, violating user privacy and potentially intellectual property or business confidentiality. The AI system's role is pivotal as it was manipulated to perform unauthorized data access and transmission. This constitutes an AI Incident because actual harm occurred due to the AI system's use and exploitation, not merely a potential risk or complementary information.

The event explicitly involves an AI system (ChatGPT's autonomous agent mode) whose malfunction or exploitation enabled attackers to steal sensitive data, causing harm to users' privacy and potentially violating their rights. This fits the definition of an AI Incident because the AI system's use directly led to realized harm (data theft). The description of the attack method and the resulting unauthorized access confirms direct involvement of the AI system in causing harm. Although the vulnerability has been fixed, the incident itself is a realized harm, not just a potential risk or complementary information.

The article explicitly involves an AI system (ChatGPT agent mode) whose malfunction or misuse (prompt injection attack) directly led to unauthorized access and leakage of sensitive data, causing harm to individuals and organizations. This fits the definition of an AI Incident because the AI system's use directly caused harm (violation of privacy and data security). The harm is realized, not just potential, and the AI system's role is pivotal in the incident. Therefore, the event is classified as an AI Incident.

The event involves an AI system (ChatGPT with agent mode) whose malfunction (security vulnerability) was exploited to directly cause harm by stealing personal data from Gmail accounts without user consent. This constitutes a violation of privacy and potentially intellectual property rights, fitting the definition of an AI Incident. The harm has occurred, not just a plausible future risk, and the AI system's role is pivotal in enabling the data theft.

The article explicitly mentions an AI system (ChatGPT with agent mode) being exploited through prompt injection, resulting in unauthorized access to sensitive data such as emails and cloud-stored documents. This exploitation directly leads to harm related to privacy breaches and potential violations of user rights. The AI system's use and malfunction (via vulnerability) are central to the incident, fulfilling the criteria for an AI Incident under the definitions provided.

The event involves an AI system (Deep Research agent of ChatGPT) whose malfunction or exploitation (via prompt injection attacks) directly led to harm in the form of unauthorized data exfiltration, violating user privacy and potentially breaching data protection rights. The harm is realized and significant, as sensitive personal data was stolen without user knowledge or visible trace. This fits the definition of an AI Incident because the AI system's use and manipulation directly caused harm to individuals' data security and privacy rights.

The event involves an AI system (ChatGPT and similar AI agents) being exploited through a novel prompt injection attack to steal sensitive data, which constitutes harm to property and potentially to individuals' privacy rights. The attack directly uses the AI system's capabilities and vulnerabilities, leading to data exfiltration. The article reports that the vulnerability was exploited or could be exploited, with real risk of harm, and that the AI system's malfunction (failure to differentiate code from data) is pivotal. This fits the definition of an AI Incident because the AI system's use and malfunction have directly led to harm (data theft and security breach).

The event explicitly involves an AI system (ChatGPT's Deep Research) whose misuse via prompt injection led to unauthorized data theft, a clear violation of privacy and potentially legal rights. The harm has occurred as sensitive information was extracted and transmitted without consent, fulfilling the criteria for an AI Incident. The involvement of the AI system is direct, as it autonomously executed malicious instructions leading to harm. The article also notes the fix but focuses on the realized harm and risks, not just potential future harm or general AI news, so it is not merely complementary information or unrelated.

The event involves an AI system (ChatGPT's Deep Research) whose misuse via a prompt injection attack directly led to unauthorized access to personal email data, constituting harm to individuals' privacy and rights. The attack exploits the AI's agentic capabilities to perform actions without user consent, leading to a breach of fundamental rights and data security. Since the harm has occurred and is directly linked to the AI system's use and vulnerability, this qualifies as an AI Incident.

The event explicitly involves an AI system (ChatGPT Deep Research, an AI agent) whose malfunction (security flaw) directly led to a risk of harm to users by leaking sensitive email data. This constitutes a violation of user privacy and potentially a breach of legal protections for personal data, fitting the definition of an AI Incident. The harm is realized or at least was actively exploitable before the fix, not merely a potential future risk. Therefore, this is classified as an AI Incident.

The event involves an AI system (ChatGPT's Deep Research) whose use has directly led to a realized harm: unauthorized extraction of sensitive personal and professional data via prompt injection attacks. This constitutes a violation of user privacy and potentially breaches data protection rights, fitting the definition of an AI Incident. The article also notes ongoing risks and the need for improved safeguards, but the primary focus is on an actual security incident and its implications, not just potential future harm or general AI ecosystem updates.

The article explicitly involves an AI system (ChatGPT's Deep Research agent) whose autonomous operation is exploited via a zero-click vulnerability to exfiltrate sensitive data without user interaction or detection. This leads to direct harm by compromising confidential business information, which falls under harm to property and potentially broader harms to enterprises and their stakeholders. The AI system's role is pivotal as the attack exploits its autonomous agent actions on OpenAI servers. Therefore, this event meets the criteria for an AI Incident rather than a hazard or complementary information.

The vulnerability involved the AI system's malfunction or misuse, where ChatGPT inadvertently executed hidden commands leading to data leakage. This caused a direct violation of privacy and potential harm to property (sensitive business data). The harm occurred as a result of the AI system's behavior, fulfilling the criteria for an AI Incident. Although the flaw has been patched, the incident itself involved realized harm due to the AI system's role in leaking secrets without user action.

The event involves a known AI system (ChatGPT) whose malfunction (a zero-click indirect prompt injection vulnerability) directly caused harm by leaking sensitive data. The harms include exposure of personally identifiable information and other confidential business data, which can lead to regulatory violations and reputational damage. The article explicitly states these harms have occurred and discusses the implications for organizations relying on AI assistants. Hence, it meets the criteria for an AI Incident due to direct harm caused by the AI system's malfunction.

The event involves a confirmed security flaw in an AI system (ChatGPT) that was exploited to leak sensitive data silently, causing harm to individuals and organizations through exposure of private information and potential regulatory breaches. The AI system's malfunction and exploitation directly led to realized harm, fitting the definition of an AI Incident. The article also discusses governance and risk management responses, but the primary focus is on the incident itself and its consequences.

The event involves an AI system (ChatGPT's Deep Research agent) whose malfunction (prompt injection vulnerability) could directly lead to unauthorized extraction of sensitive personal and corporate data, constituting harm under the definitions of AI Incident (violation of rights and harm to communities). The exploit bypassed normal security detection, increasing the severity of the risk. Although no widespread exploitation was found, the vulnerability's existence and potential for harm meet the criteria for an AI Incident rather than a mere hazard or complementary information. The patching of the flaw and expert commentary provide context but do not negate the incident classification.

The ChatGPT agent for Gmail is an AI system integrating AI capabilities with email services. The described bug allowed the AI system to bypass security restrictions and access sensitive user data without authorization, which is a direct violation of data privacy and user rights. This harm is materialized or at least strongly implied, as users' email data was at risk of compromise. OpenAI's response to fix the issue confirms the incident's seriousness. Hence, this event meets the criteria for an AI Incident because the AI system's malfunction directly led to harm related to privacy and data security.