Security researchers have demonstrated how ChatGPT, when used as an AI agent with access to personal accounts, could be tricked into secretly stealing sensitive data from Gmail inboxes. The attack, dubbed "Shadow Leak" and revealed by cybersecurity firm Radware, highlights the emerging risks posed by agentic AI—systems capable of autonomously performing tasks like browsing the web and interacting with apps on a user’s behalf. The exploit relied on a technique known as prompt injection, where malicious instructions are embedded in a way that tricks an AI into acting against the user’s interests. In this case, the researchers sent a carefully crafted email to a Gmail account that had been granted access to OpenAI’s Deep Research feature—an AI tool within ChatGPT designed to assist users by searching the web and retrieving information from connected accounts. Hidden within the email was a prompt injection disguised as normal content. The instruction was invisible to human eyes—written in white text on a white background—so the user would never notice it. When the victim later used Deep Research, the AI agent unknowingly executed the hidden command. Instead of helping, the agent was directed to search for HR-related emails, personal information, and other sensitive data. It then exfiltrated the stolen content to a server controlled by the attackers, all without triggering any alerts. The researchers emphasized that this was not a simple hack. It took extensive trial and error to bypass multiple layers of security and successfully extract data. “This process was a rollercoaster of failed attempts, frustrating roadblocks, and, finally, a breakthrough,” they said. What made Shadow Leak particularly concerning is that the attack ran entirely on OpenAI’s cloud infrastructure. This meant the data breach occurred behind the scenes, making it invisible to traditional security tools that monitor user activity or network traffic. Radware warned that the same method could be applied to other services connected to Deep Research, including Microsoft Outlook, GitHub, Google Drive, and Dropbox. These integrations could allow attackers to steal confidential business data such as contracts, internal meeting notes, and customer records. OpenAI has since patched the vulnerability in June, according to the researchers. However, the incident serves as a stark reminder of the dangers that come with giving AI agents deep access to personal and corporate data. As these systems become more autonomous, the potential for misuse grows—especially when malicious actors can hide commands in plain sight. The Shadow Leak demonstration is a proof-of-concept, but it underscores the urgent need for stronger safeguards, better detection mechanisms, and more cautious deployment of AI agents in sensitive environments.