August 12, 2025
5 min read
Gus Mallett
AI Agents Like ChatGPT Are Vulnerable to Hacking, Security Firm Finds
Some of the most widely-used AI agents and assistants in the world, including ChatGPT, Microsoft Copilot, Gemini, and Salesforce’s Einstein, are vulnerable to being hijacked with little to no user interaction, new research from Zenity Labs claims. Hackers can easily gain access to and exfiltrate critical data, manipulate workflows, and even impersonate users with relative ease. Attackers may also gain memory persistence, granting long-term access and control over compromised data. These findings will concern technology leaders, who have already indicated that cybersecurity is their top concern in 2025. With many employees using AI tools secretly, the security gaps may be more widespread than senior leaders realize.AI Agents “Highly Vulnerable” to Hacking, Research Shows
A new report from Zenity Labs outlines how popular AI agents are susceptible to exploitation by malicious actors. Presented at the Black Hat USA cybersecurity conference, the research revealed serious security weaknesses across these platforms. Once hackers gain access to these AI agents, they can exfiltrate sensitive data, manipulate workflows, and impersonate users. They may even achieve memory persistence, enabling long-term control and access. Greg Zemlin, product marketing manager at Zenity Labs, explained:“They can manipulate instructions, poison knowledge sources, and completely alter the agent’s behavior. This opens the door to sabotage, operational disruption, and long-term misinformation, especially in environments where agents are trusted to make or support critical decisions.”
Findings Shed Light on Numerous Security Loopholes
Zenity Labs investigated how zero-click exploits could compromise leading AI agents. Key findings include:- ChatGPT can be hacked via email-based prompt injection, giving attackers access to connected Google Drive accounts.
- Copilot leaked entire CRM databases through its customer-support agent.
- Salesforce Einstein can be manipulated to reroute customer communications to different email accounts, exposing login information.
- Both Gemini and Copilot can be exploited to target users with social-engineering attacks. After discovering these vulnerabilities, Zenity Labs notified the affected companies, which patched the flaws and introduced safeguards. A Google spokesperson emphasized:
- AI Agents Are Broken: Can GPT-5 Fix Them?
- AI Agent Oversight: Critical to Secure, Scalable Autonomy
- AI-Driven Crypto Scams Surge 456%, Experts Warn No One Is Safe
“Having a layered defense strategy against prompt injection attacks is crucial.”However, recent incidents such as the Salesforce CRM data breach show that more work is needed.
Companies Must Act Now to Avert Catastrophe
AI agents are becoming integral to modern workplaces, with companies investing heavily and employees using these tools to streamline operations. Yet, only 27% of businesses have policies limiting the type of data shared with AI models, according to our report The Impact of Technology on the Workplace. This combination of insufficient safeguards and inherent AI vulnerabilities puts businesses at risk of becoming the next data breach statistic. Businesses must urgently implement strict governance policies and security measures to protect sensitive data and maintain trust.Frequently Asked Questions (FAQ)
AI Agent Security and Vulnerabilities
Q: How are AI agents like ChatGPT vulnerable to hacking? A: AI agents are vulnerable to "prompt injection" attacks, where malicious instructions are embedded within user prompts. This can allow attackers to exfiltrate data, manipulate workflows, or even impersonate users, sometimes with little to no direct user interaction. Q: What specific AI agents were found to be vulnerable? A: Research identified vulnerabilities in widely used AI agents including ChatGPT, Microsoft Copilot, Gemini, and Salesforce's Einstein. Q: What kind of damage can hackers cause by exploiting these vulnerabilities? A: Hackers can gain access to and steal critical data, alter workflows, impersonate users, and achieve memory persistence, granting them long-term control over compromised systems and data. Q: What is "memory persistence" in the context of AI agent hacking? A: Memory persistence means that once an AI agent is compromised, the attacker can maintain long-term access and control over the data and functions of that agent, even after initial exploitation. Q: Are there "zero-click" exploits for these AI agents? A: Yes, research indicates that some vulnerabilities can be exploited with "zero-click" methods, meaning attackers can compromise the agent without any direct action or interaction from the user. Q: What are some real-world examples of these vulnerabilities being exploited? A: Examples include ChatGPT being hacked via email-based prompt injection to access Google Drive accounts, Copilot leaking CRM databases, and Salesforce Einstein being manipulated to reroute customer communications. Q: What is being done to address these AI agent vulnerabilities? A: The affected companies have been notified and have implemented patches and safeguards. However, the research suggests that ongoing vigilance and further security enhancements are necessary.Crypto Market AI's Take
The discovery of vulnerabilities in leading AI agents like ChatGPT and Copilot highlights a critical intersection between artificial intelligence and cybersecurity. As businesses increasingly rely on these tools for critical operations, the potential for sophisticated attacks increases. This underscores the importance of robust security measures and clear governance policies for AI integrations. Our platform at Crypto Market AI focuses on leveraging AI for market analysis and trading, but we are acutely aware of the need for secure, trustworthy AI systems. Ensuring the integrity of AI models and protecting against malicious manipulation is paramount for the future of AI-powered finance.More to Read:
Source: Originally published at Tech.co on Tue, 12 Aug 2025.