ZombieAgent Vulnerability Enables Data Theft and Account Takeover in ChatGPT

The event explicitly involves an AI system (an AI agent) and describes a security vulnerability that could be exploited without user interaction to cause data theft and persistent unauthorized control. While the article does not report actual incidents of harm, the described vulnerability plausibly leads to AI incidents involving harm to property and possibly human rights violations. The event is about the discovery of the vulnerability and its potential consequences, not about a realized harm or incident. Hence, it fits the definition of an AI Hazard rather than an AI Incident or Complementary Information.

The article explicitly involves an AI system (ChatGPT) and details how its vulnerabilities have been exploited to steal private user information, constituting harm to individuals' privacy and rights. The attack is a direct consequence of the AI system's design and operation, fulfilling the criteria for an AI Incident. The harm is realized, not just potential, as data exfiltration has occurred. The ongoing cycle of attack and mitigation further underscores the incident nature rather than a mere hazard or complementary information.

The event involves an AI system (ChatGPT) whose use and features (memory and connectors) have been exploited to carry out indirect prompt injection attacks that directly lead to harm—specifically, unauthorized access and exfiltration of sensitive personal information, which constitutes harm to individuals' privacy and potentially violates rights. The article details how the AI system's malfunction or misuse has caused this harm, qualifying it as an AI Incident. The partial fixes and ongoing vulnerabilities do not negate the fact that harm has already occurred through these attacks.

The event involves an AI system (ChatGPT with Connectors/apps) whose use led to a security vulnerability that could directly cause harm to users by enabling silent account takeover, data exfiltration, and persistent unauthorized access. These harms fall under injury or harm to persons (privacy and security breaches) and potentially harm to property (user data). Since the vulnerability was actively exploitable and patched after being identified, this constitutes an AI Incident due to realized or imminent harm caused by the AI system's malfunction or design flaw.

The article explicitly involves AI systems (OpenAI's AI agents) and describes a security vulnerability that could be exploited to cause harm. While no actual harm has been reported yet, the described technique enables persistent, stealthy malicious actions that could compromise sensitive information and business processes. This fits the definition of an AI Hazard because it plausibly could lead to AI Incidents involving harm to property, communities, or organizations. The event is not an AI Incident yet because no realized harm has occurred, nor is it merely complementary information or unrelated news.

The article explicitly involves AI agents being hijacked through prompt injection attacks, which is a direct exploitation of AI system vulnerabilities. The attack leads to unauthorized commands execution, persistent compromise, and data exfiltration, which constitute harm to property and privacy. The involvement of AI systems is clear, and the harm is realized, not just potential. Hence, this is an AI Incident rather than a hazard or complementary information.

The article explicitly involves AI agents that autonomously process content and have long-term memory, which are AI systems as per the definition. The described zero-click prompt injection attack exploits the AI system's use and malfunction to cause unauthorized data exfiltration, a clear harm to property and privacy rights. The harm is realized, not just potential, as attackers can silently collect sensitive data over time. The cloud-only execution model and persistence increase the severity and challenge of mitigation. Hence, this event meets the criteria for an AI Incident due to direct harm caused by AI system misuse and malfunction.

The event explicitly involves an AI system (ChatGPT, a large language model) and describes a concrete exploit (ZombieAgent) that has been used to steal sensitive user data such as emails, calendar entries, and code snippets. The harm is direct and realized, involving violations of privacy and potential breaches of data security, which fall under harm to persons and communities. The article also discusses the AI system's malfunction and vulnerabilities being exploited, leading to ongoing data theft. This meets the criteria for an AI Incident as the AI system's use and malfunction have directly led to significant harm. The detailed description of the exploit, its persistence, and the actual data theft confirm this classification over AI Hazard or Complementary Information.

The article explicitly involves an AI system (OpenAI's Deep Research agent) and details a security vulnerability that enables attackers to exploit the AI's autonomous behavior to steal sensitive data and propagate attacks invisibly. The harm is realized as data theft and persistent compromise of AI agents within organizations, which fits the definition of an AI Incident due to harm to property and organizational security. The event is not merely a potential risk but a discovered and demonstrated vulnerability with direct harmful consequences. Hence, it qualifies as an AI Incident rather than a hazard or complementary information.