AI Privacy Incident Tracker

A continuously updated tracker of AI privacy incidents — confirmed data exposures, security flaws, regulatory actions, and training-data disputes across the major AI vendors. Each entry cites primary sources.

Subscribe via RSS

12
Incidents tracked
5
Incident categories
January 20, 2026
Tracking since
May 31, 2026
Last updated

Incidents by category

Some incidents span more than one category (e.g. a data exposure that triggers a regulatory action).

Data exposure
5
Security flaw / supply chain
3
Regulatory / legal action
2
Training-data dispute
1
Model misuse
1
account-recovery2026-05-31

Meta AI support assistant abused for Instagram account takeovers

Over the weekend of May 31, 2026, several Instagram accounts were taken over after their owners' recovery flows were routed through Meta's AI support...

Read incident
supply-chain2026-05-27

Claude AI user data directory exfiltration via malicious npm package

On May 27, 2026, OX Security researchers identified a malicious npm package, `mouse5212-super-formatter`, designed to exfiltrate files from `/mnt/user-data`,...

Read incident
bipa2026-05-14

Adobe Firefly BIPA voice-training class action

On May 14, 2026, seven Illinois journalists, podcasters, and audiobook narrators filed a proposed class-action lawsuit against Adobe in the US District Court...

Read incident
supply-chain2026-05-11

OpenAI internal repo and signing credential exposure via TanStack npm supply chain

On May 14, 2026, OpenAI disclosed that two employee devices were impacted by malicious npm packages from the TanStack supply chain attack that researchers...

Read incident
shadow-ai2026-05-07

Community Bank discloses customer data exposure through an unauthorized AI application

On May 7, 2026, Community Bank, a regional U.S. lender operating in Pennsylvania, Ohio, and West Virginia, filed a Form 8-K with the Securities and Exchange...

Read incident
api-keys2026-05-04

Braintrust AWS account compromise and customer API key rotation

On May 5, 2026, Braintrust, an AI evaluation and observability platform, posted a website notice disclosing unauthorized access to one of its AWS accounts...

Read incident
Anthropic2026-04-22

Claude Mythos Breach: Anthropic Lost Its Most Dangerous AI Model on Day One

A private Discord group gained unauthorized access to Claude Mythos Preview within 24 hours of launch, via a shared credential from a third-party contractor for Anthropic plus a URL pattern guess. What it means for your confidential data.

Read incident
csam2026-04-20

French prosecutors investigate X over Grok-generated child sexual abuse material

On April 20, 2026, Elon Musk and X chief executive Linda Yaccarino were summoned for voluntary questioning by the Paris prosecutor's office over the use of...

Read incident
supply-chain2026-03-31

OpenAI macOS signing pipeline compromise via Axios supply chain

On March 31, 2026, OpenAI's GitHub Actions workflow for notarizing macOS applications executed a malicious version of the Axios JavaScript library during a...

Read incident
healthcare2026-03-25

EFF FOIA lawsuit over Medicare WISeR AI prior-authorization program

On March 25, 2026, the Electronic Frontier Foundation filed a Freedom of Information Act lawsuit against the Centers for Medicare & Medicaid Services seeking...

Read incident
misconfiguration2026-02-03

Sears Home Services AI chatbot and call database exposure

On February 3, 2026, security researcher Jeremiah Fowler discovered three publicly accessible databases belonging to Sears Home Services, the home repair...

Read incident
firebase2026-01-20

Chat and Ask AI Firebase misconfiguration exposes 300 million user messages

On January 20, 2026, independent security researcher Harry identified a Firebase misconfiguration in Chat & Ask AI, a multi-model AI chat application...

Read incident

Methodology — how we track

  • Scope: publicly disclosed incidents involving AI products, vendors, or operators and the handling of user or sensitive data — data exposures, security and supply-chain flaws, regulatory and legal actions, training-data disputes, and operator misuse.
  • Inclusion: each entry is based on a confirmed public disclosure (vendor statement, security-researcher report, court filing, or regulator action). Every incident page cites its primary sources.
  • Cadence: the log is reviewed and updated as new incidents are confirmed. The “last updated” date above reflects the most recent addition.
  • Corrections: if an entry is inaccurate or you have a primary source to add, email support@elephas.app.

Cite this tracker

Journalists and researchers are welcome to cite the Elephas AI Security Incident Tracker. Suggested citation:

Elephas. “Elephas AI Security Incident Tracker.” Last updated May 31, 2026. https://elephas.app/resources/ai-security-incidents