What does AI getting better at hacking have to do with me typing into a chatbot?

The connection is attack surface. As autonomous AI gets faster at finding and exploiting vulnerabilities, the cloud AI tools you paste sensitive work data into become more valuable targets, and they have already been breached. A ChatGPT code-execution flaw could exfiltrate pasted messages silently. A Firebase misconfiguration exposed 300 million AI chat messages. The attacker capability story and the tool-exposure story are the same story, one news cycle apart.

Once I paste data into a cloud AI tool, where does it go and who sees it?

It lands on the vendor's servers. Google's Gemini guidance tells users not to enter confidential information they wouldn't want a human reviewer to see. It also discloses that outside reviewers do read some chats, retaining reviewed conversations for up to three years even after you delete your activity. OpenAI's consumer ChatGPT policy permits using your content to train models; the opt-out only covers new conversations, not past ones.

Why is a brand-name AI tool a soft target if the vendor is huge?

Scale and trust create the vulnerability. Large vendors hold enormous volumes of high-value data. A single flaw, like the hidden outbound channel Check Point found in ChatGPT's code-execution runtime, can turn a trusted product into an exfiltration path. The April 2026 Vercel breach started inside a third-party AI tool used by one employee, not through a direct attack on Vercel itself. Size reduces some risks and concentrates others.

Realistically, what is the worst that could happen, or is this overblown?

For a lawyer, clinician, or regulated professional, the worst case does not require a breach: the impermissible disclosure happens at the moment of the paste. Under attorney-client privilege rules, voluntarily disclosing confidential communications to a third party can waive the privilege. Under HIPAA, pasting protected health information into a consumer tool without a signed Business Associate Agreement is an impermissible disclosure. Under GDPR, pasting EU personal data into an uncontracted tool can breach Article 28. None of these require an attacker.

NewsExplainerMay 15, 2026 · 10 min read

AI Is Getting Better at Hacking Every 4.7 Months. The Tools You Paste Your Data Into Are the Soft Target.

Every 4.7 months, AI gets twice as good at hacking. That is not a forecast. It is a measurement, published this week by the UK AI Safety Institute, and the curve is steeper than the government's own estimate six months ago.

The headline framed it as a story about attackers. It is also a story about you. The cloud AI tools you paste work into are software, they hold your most sensitive data, and they have already been breached. As attackers get faster, the chat window on your screen is the soft target.

4.7 mo

AI cyber capability doubling time (UK AISI, May 2026)

300M

Messages exposed in AI chat app Firebase breach (early 2026)

82%

Top 100 AI apps rated medium-to-critical risk (Cyberhaven)

3 yrs

How long Gemini retains human-reviewed chats after deletion

Executive Summary

The UK AI Safety Institute measured autonomous AI cyber capability doubling every 4.7 months, down from 8 months in late 2025; the curve is accelerating, not just rising.
Google Threat Intelligence caught a threat actor wielding an AI-developed zero-day exploit intended for a mass exploitation event, and it is the first time GTIG has publicly identified an AI-developed zero-day in a real attacker's hands.
Cloud AI tools are themselves the breach point: ChatGPT had a hidden exfiltration channel (patched Feb 2026), an AI chat app exposed 300 million messages, and the Vercel breach originated inside a third-party AI tool.
For lawyers, clinicians, and regulated professionals, the impermissible disclosure happens at the moment of the paste, not after a breach. Privilege, HIPAA, and GDPR exposure are all immediate.
82% of the top 100 generative AI apps are rated medium-to-critical risk. Vendor policies allow human review, model training on your content, and multi-year retention, in plain writing almost no one reads.
The fix is not quitting AI. It is keeping sensitive data on a machine you control and letting only redacted, non-identifying text reach a cloud model. Elephas is the privacy-friendly AI knowledge assistant built for exactly that, with local data storage by default and built-in local LLM models.

The Headline Was About AI Hacking. The Risk Is Sitting in Your Chat Window.

Most coverage of that measurement stops at the attacker. It describes what AI can now break into and how fast that is changing, then moves on. What it skips is the other half of the equation: the target. An attacker getting faster only matters if there is something worth reaching, and for most knowledge workers, the AI data security risk sits in the pile of company and client data inside the AI tools they use every day.

To see why your chat window belongs in that story, start with how fast the other side is now moving.

What “AI Data Security Risk” Actually Means in 2026

AISI Cybersecurity Time Horizons chart: AI cyber-task time horizon doubling every 4.7 months as of May 2026, with GPT-5.5 and Mythos Preview ahead of the trend line

The phrase gets thrown around loosely, so define it plainly. AI data security risk is the chance that data you paste into a cloud AI tool gets exposed, leaked, or used in ways you never agreed to. It is not the abstract fear of a rogue model turning on humanity. It is the concrete exposure created when sensitive work content leaves your device and lands on a vendor's servers.

That risk has three specific failure modes, and they reinforce each other:

The attacker side is compounding. The UK AI Safety Institute, working with METR, now measures autonomous AI cyber capability by its cyber-task time horizon. As of its 13 May 2026 report, that horizon is doubling every 4.7 months, down from an estimated 8 months in November 2025. The chart above is the actual measurement, not a projection.
The tool itself can leak. The channel you paste into is not secure by default. A cloud AI tool is software, and software has flaws. Flaws that have already been found and exploited in production tools millions of people use daily.
The data is already piled up there. Knowledge workers feed sensitive material into these tools constantly, building exactly the prize an attacker wants. Cyberhaven found that 34.8% of everything pasted into ChatGPT is sensitive company data: IP, client records, internal strategies.

The bridge concept connecting all three is attack surface. Every cloud AI tool a person uses widens it. Each chat window is one more door, and the data behind that door is exactly the confidential company data that makes a target worth attacking. You have one side getting faster and the other side getting fatter. Both halves of that risk have already left the lab.

This Already Happened: AI-Built Exploits and Leaking Chat Tools

AISI 'The Last Ones' benchmark: steps completed per token spend by GPT-5.5 and Mythos Preview, showing AI models now completing full cyber-attack chains autonomously

The attacker side is real, and it is documented. On 12 May 2026, the Google Threat Intelligence Group reported catching a criminal threat actor with a zero-day exploit the group assessed was built with AI assistance. In Google's own words, “the criminal threat actor planned to use it in a mass exploitation event but our proactive counter discovery may have prevented its use.” It is the first time GTIG has publicly identified an AI-developed zero-day in a real attacker's hands.

The tools leak too. Check Point Research found a hidden outbound communication channel in ChatGPT's code-execution runtime. A single malicious prompt could turn an ordinary chat into a covert exfiltration path, smuggling pasted messages and uploaded files out of the sandbox. The researchers stated plainly that “sensitive data shared with ChatGPT conversations could be silently exfiltrated without the user's knowledge or approval.” OpenAI patched it on 20 February 2026.

In early 2026, a security researcher found the Chat & Ask AI app had left its backend database open via a Firebase misconfiguration. Roughly 300 million messages tied to about 25 million users were exposed, including entire chat histories. Fixed within hours, but the data had been readable to anyone with the project URL.
The April 2026 breach of Vercel, a hardened infrastructure company, originated inside a compromised third-party AI tool used by one employee. The AI tool was the soft entry point into a company that was otherwise locked down.
The benchmark above shows AI models now completing full autonomous cyber-attack chains, from initial reconnaissance through network takeover, in a single session. The capability gap between “AI can help with hacking” and “AI can run the whole attack” is closing fast.

Those are headlines about companies. They matter because of what they mean for the data on your own screen.

Why This Lands on You Specifically

Who carries the risk: professional role grid showing Lawyer, Clinician, Financial Advisor, Founder, each with an exposed data marker

Step back from the corporate breach reports and look at who actually pastes the most sensitive material into these tools. It is not casual users asking for recipe ideas. It is lawyers with contracts, clinicians handling patient notes, financial advisors with account records, and founders with deal documents. The people with the most to lose are doing the most pasting.

For regulated professionals, a single paste is not a convenience. It can be a compliance breach with legal weight:

A lawyer who pastes privileged client material into a consumer tool that retains and human-reviews it risks waiving attorney-client privilege. Under common-law rules, privilege is generally lost when confidential communications are voluntarily disclosed to a third party outside the privileged relationship.
A clinician who pastes protected health information into a consumer tool with no signed Business Associate Agreement has made an impermissible disclosure under the HIPAA Privacy Rule.
Pasting EU residents' personal data into an uncontracted consumer AI tool can breach the GDPR. Article 5(1)(f) demands appropriate security for personal data, and Article 28 requires a binding contract before any processor touches it.

The breach is not a future hypothetical waiting on an attacker. Under these rules, the impermissible disclosure happens at the moment of the paste. The exposure is regulatory, not just reputational, and it is the realistic answer to what the worst case looks like.

Why This Risk Stays Invisible

What you assume vs. what the policy says: two-column contrast showing private vs. human-reviewed, deleted vs. retained 3 years, just mine vs. used for training

Most people never see this risk because they assume a chat is private and temporary, something between them and a machine that forgets. The policies of the tools they use say otherwise, in plain sight, and almost nobody reads them.

Read the policies directly and the gap is obvious. Google's own guidance for Gemini tells users in writing: “Please don't enter confidential information that you wouldn't want a reviewer to see or Google to use to improve our services.” The same hub discloses that human reviewers, including trained reviewers from outside service providers, read some of the data collected. Chats reviewed by a human are not deleted when you delete your activity; they are retained for up to three years.

Consumer ChatGPT carries its own quiet defaults. OpenAI's policy says it may use the content you provide to train the models that power ChatGPT. You can opt out, but the policy is explicit that once you do, only new conversations are excluded. Anything pasted before you flipped the switch may already be in the pipeline.

82% of the top 100 generative AI applications are rated medium-to-critical risk (Cyberhaven, 2026). Most workers using them have never seen that number.
77% of employee AI interactions involve real company data, and 82% of those happen through personal accounts that IT security cannot monitor, log, or audit (Cyberhaven, 2026). When something is shared from a personal account, there is no corporate record that it happened.
Vendor policies are written in language that does not feel urgent at paste time. “Training data,” “service improvement,” and “retained for up to three years” do not read as risk statements. They read as boilerplate.
The UK's National Cyber Security Centre named data leakage explicitly among the core risks when using AI tools. In its words: “How could I leak information?” The national cyber authority puts it first, not last.

Seeing the risk clearly is the hard part. Once you do, the safer path is straightforward.

The Safer Path: Shrink Your Attack Surface Instead of Expanding It

Before vs after: raw data going straight to cloud AI vs data staying on local device, through redaction step, then only non-identifying text reaching the cloud

Take the honest takeaway from every section above. It is not “quit AI.” That advice is useless, and you would ignore it anyway. The takeaway is narrower and more practical: shrink your attack surface instead of expanding it. Keep the sensitive data on your own machine, and let only redacted, non-identifying text reach a cloud model.

State it as a rule of thumb you can actually use: the safest data is the data that never leaves your computer.

Elephas is a privacy-friendly AI knowledge assistant for Mac. Your work stays on your Mac with local data storage by default, so the raw, identifying material is not sitting on someone else's server waiting to be breached or reviewed.
The sequence is what does the protecting: local Mac first, then automatic PII redaction strips names, emails, phone numbers, and other identifiers. Only after that does anything reach a cloud AI model. Smart redaction is currently in beta, and the design goal is plain: sensitive data is detected and redacted before it leaves your device.
Elephas provides built-in local LLM models so work can run fully offline. No data leaves the device at all. For the most sensitive material, the cloud is never involved.
Your content is never used to train AI models, never stored on vendor servers, and never reviewed by third parties. That is not a settings toggle. It is the architecture.

None of this requires a security overhaul. It requires one change in where your data sits.

Use AI Without Surrendering Your Data

Pull the whole arc together. Attackers are compounding fast, with autonomous AI cyber capability now doubling every 4.7 months. The cloud AI tools you paste into are the soft target, already breached at the 300-million-message scale. The confidential data piling up inside them is the prize. None of that is fear-mongering, and none of it means you should stop using AI.

The exposure is a choice you can change. Before the next time you paste something sensitive, run one test: decide whether that data genuinely needs to leave your device.

Autonomous AI cyber capability is now doubling every 4.7 months; the attacker side is accelerating, not plateauing.
Cloud AI tools have already been the breach point: a hidden ChatGPT exfiltration channel, a 300M-message app exposure, a Vercel breach that started inside an AI tool.
For regulated professionals, the impermissible disclosure happens at the moment of the paste: privilege, HIPAA, and GDPR exposure require no attacker.
The fix is not abstinence. It is keeping the sensitive part of the work on a machine you control, then letting only redacted text reach the cloud.
Elephas is the privacy-friendly AI knowledge assistant built for exactly this: local data storage by default, built-in PII redaction before anything reaches a cloud AI model, and built-in local LLM models so nothing leaves your device at all.

A local-first, redaction-capable setup keeps that choice in your hands. The most direct way to take the AI data security risk off your own desk is to keep the sensitive part of the work on a machine you control.

Keep Your Data on Your Mac

Elephas is the privacy-friendly AI knowledge assistant for Mac. Local storage, smart redaction (beta), built-in local LLM models. Your data never leaves your device.

Try Elephas Free

Written by

Selvam Sivakumar

Founder, Elephas.app

Selvam Sivakumar is the founder of Elephas and an expert in AI, Mac apps, and productivity tools. He writes about practical ways professionals can use AI to work smarter while keeping their data private.

Sources

Back to News