What ShadowLeak Is and Why It Matters
A novel exploit called ShadowLeak targets AI agents like ChatGPT’s Deep Research. Unlike phishing scams that rely on humans making mistakes, this exploit doesn’t need a human at all. Instead, it hides instructions in emails, sometimes even in invisible text, that an AI agent will read, follow, and act on.
When ChatGPT’s Deep Research feature accessed Gmail accounts, malicious emails with hidden prompts instructed it to pull sensitive information and send it to attacker-controlled websites. It’s not the AI “choosing” to do this. The AI is simply following instructions hidden inside the email.
The important thing to understand is that regular Gmail browsing by a human is safe. ShadowLeak only works when an autonomous AI agent is allowed to read or act on emails. This risk isn’t limited to Gmail. It applies to any email system, whether you’re using Google, Microsoft Outlook, or even a self-hosted server, as long as you’ve hooked up an AI to manage or summarize your inbox.
The Bigger Problem With Hidden Prompts
ShadowLeak is a reminder of just how tricky “prompt injection” attacks are. This is the AI version of old-school software exploits like SQL injection, sneaky instructions buried in plain text. Humans might never see these instructions because they’re hidden with formatting tricks like white text on a white background. The AI sees everything and interprets it literally.
Researchers demonstrated that ShadowLeak forced the agent to repeatedly try to send sensitive data to an outside server. It wasn’t just a single attempt. The instructions told the AI to “be persistent,” and the AI obliged. That persistence makes these attacks harder to block because they don’t look like a single suspicious action. They look like determined problem-solving.
While OpenAI patched the specific exploit after being alerted by security researchers at Radware, the underlying issue remains unsolved: every AI that’s allowed to act on text is at risk of being manipulated by hidden instructions.
Privacy Concerns Beyond Security
Even if you assume the security flaws get patched, there’s another reason to think twice before giving AI access to your inbox: lawsuits.
OpenAI is currently facing legal challenges, including one from The New York Times. As part of that case, the company has been required to retain chat data longer than they originally intended. This means if you feed your emails into ChatGPT, those conversations may be preserved for court proceedings. OpenAI is trying to protect user privacy, but if a court orders them to produce data, they must comply.
In other words, the very emails you asked an AI to summarize could end up in someone else’s hands. Not because of a hack, but because of legal discovery.
Can AI Be Trusted With Email?
That’s the central question ShadowLeak raises. If AI can be tricked into leaking information without your knowledge, and if your data can also be preserved for lawsuits, do you really want to hand over your inbox?
Yes, AI can help with productivity. It can sort, summarize, and respond faster than you ever could. That convenience comes at a cost: exposure to risks that most people haven’t considered. And while OpenAI patched ShadowLeak quickly, other companies like Google, Microsoft, and smaller providers have not publicly announced similar fixes.
Until stronger, systemic defenses exist, handing over your email to any AI system, whether ChatGPT, Gemini, Copilot, or a self-hosted agent, means accepting risks you might not be comfortable with.
ShadowLeak is a wake-up call. The exploit itself has been patched, but the bigger problem remains: AI can be manipulated in ways humans can’t see, and once your data is exposed, you can’t get it back.
The safest step you can take right now is simple: don’t give AI full access to your emails. Use it where it makes sense, but keep your most sensitive information out of reach. Productivity is helpful. Protection is essential.
