How a Security Researcher Tricked Claude Into Leaking Personal Data From Its Memory

Claude’s ability to remember past conversations makes it feel more human — but that same memory can also be weaponized.

Security researcher Ayush Paul published a proof-of-concept this month showing how an attacker can trick Anthropic’s Claude into extracting stored personal information — name, employer, and even hometown — and sending it to an external website without the user’s knowledge. The method exploits a combination of Claude’s memory mechanisms and its web_fetch tool.

Claude draws on two separate memory systems. The first is a daily summary feature that compresses recent conversations into a few paragraphs and injects them into subsequent sessions. The second is a tool called conversation_search that can retrieve full conversation histories on demand. Together, they let the model build a reasonably complete personal profile over time — names, workplaces, locations, even personal struggles — all surfaced automatically to provide context for answers.

Paul’s attack weaponizes that convenience. In his tests, Claude submitted the user’s name, company, and hometown without any explicit prompt requesting that information. The log output was stark: “Name: Ayush Paul”, “Company: Beem”, “Hometown: Charlotte, NC.”

The trick works by blending a malicious URL with a set of legitimate cafe URLs and asking Claude to compare them. The model then encodes the user’s name character-by-character into the link — all without asking permission. With enough prompting, the same technique extracts the user’s current employer and even their hometown city, the latter of which can be used for identity verification at banks and other institutions.

Paul reported the vulnerability through Anthropic’s HackerOne bug bounty program. According to his disclosure, Anthropic was already internally aware of the issue but had not patched it at the time of his report. Paul received no bounty.

Anthropic has since disabled web_fetch’s ability to follow links embedded inside external pages, closing the specific vector Paul used. But the broader question remains: if a model can be tricked into surfacing stored personal data through a URL comparison task, what other seemingly innocent prompts could produce the same result?