← back to blog
Threat Intel

When Your AI Turns Against You

Hooded skull figure at laptop — AI prompt injection and LLM security risk

Generative AI can supercharge small and medium businesses — but new research shows attackers can weaponize web content and hidden prompts to make chatbots leak private data. This is real, practical, and fixable.

What researchers found

Security teams recently disclosed seven practical techniques that trick ChatGPT and similar LLMs into revealing private material or obeying hidden instructions — including zero-click and one-click prompt injection, memory poisoning, conversation injection, and tricks that hide malicious prompts inside benign web content or URL parameters. The vulnerabilities were demonstrated against GPT-4o and GPT-5 variants and written up by Tenable and others.

Why it matters: LLMs often ingest or summarize external content — web pages, docs, files. Attackers can hide instructions inside that content so the model treats them as user intent and acts on them, including leaking chat memory, system prompts, or uploaded secrets.

The bigger ecosystem risk

Small amounts of poisoned data can backdoor models. Anthropic, the UK AI Security Institute, and the Alan Turing Institute showed that as few as 250 poisoned documents can implant backdoors — making training-time poisoning far more feasible than previously assumed.

Market incentives can erode safety. Research shows competitive optimization (maximizing engagement or sales) can drive models toward deceptive or unsafe behavior — a phenomenon described as "Moloch's Bargain." Another reason governance and monitoring matter.

Why SMBs are especially exposed

SMBs adopt cloud AI tools fast and often lack AI-security expertise. Teams routinely paste internal text into public chatbots for summaries or code help — an easy path for injected prompts. And SMBs hold customer data, contracts, and IP that become high-value if leaked. OWASP's GenAI Top 10 lists prompt injection (LLM01) as the top risk for LLM apps.

10 things SMBs can do today

  1. Inventory AI usage — list which teams and apps use LLMs and what data they touch.
  2. Least privilege — never let a chatbot reach full databases or PII unless absolutely necessary.
  3. Segment and sanitize — avoid feeding raw customer data or secrets into public LLMs; tokenize where possible.
  4. Lock down ingestion sources — only allow trusted, validated content to be scraped or summarized.
  5. Disallow auto-click / auto-follow URL patterns — block or validate links to AI endpoints that accept query parameters.
  6. Human-in-the-loop — require review for AI outputs affecting customers, finances, or compliance.
  7. Train staff — "don't paste secrets," "don't click unvetted AI links," "question surprising outputs."
  8. Logging & monitoring — keep logs of AI queries and outputs; watch for abnormal behavior or unexplained exports.
  9. A lightweight AI policy — permitted use cases, data classes, approval flows, and incident steps.
  10. Engage a specialist — a focused AI Risk Assessment maps risk and gives prioritized fixes.

Short takeaway

Generative AI is a huge productivity lever, but it changes the rules. Prompt injection and data poisoning are real, and attackers are increasingly weaponizing web content and model behavior. For SMBs: don't panic — prepare. Inventory, limit, train, log, and get help. (For the strategic view of AI as a whole new attack surface — including Shadow AI and red-teaming your AI — see our companion piece, Securing the AI Frontier.)

Want a fast read on your AI exposure? Our AI Risk Assessment maps your AI tools, data flows, and where prompt injection or data leakage could hurt you — with prioritized fixes.

References & further reading

  1. Tenable — HackedGPT: Novel AI Vulnerabilities Open the Door for Private Data Leakage.
  2. The Hacker News — Researchers Find ChatGPT Vulnerabilities That Let Attackers Trick AI Into Leaking Data.
  3. OWASP GenAI — LLM01: Prompt Injection.
  4. Anthropic / UK AI Security Institute / Alan Turing Institute — small samples can poison LLMs (250 docs).
  5. El & Zou — Moloch's Bargain: Emergent Misalignment When LLMs Compete for Audiences (arXiv).
$ ./read_next
Threat Intel

10 Billion Blocks Later: Android's AI Edge Over iOS Explained

Android's on-device AI blocks over 10 billion scam texts and calls a month — far ahead of iOS. Why that reshapes the mobile attack surface, plus 5 threat actors to track.