What the ChatGPT for Sheets data-exfiltration bug teaches about AI security

A security firm called PromptArmor published a writeup on May 27, 2026 showing that ChatGPT for Google Sheets, an OpenAI extension with more than 185,000 downloads, could be made to steal a user's spreadsheets through a single ordinary-looking request. Four days later, on May 31, OpenAI shipped a fix. The short version is that one benign question, typed by a real user into a sheet that contained hidden instructions, was enough to drain twelve linked workbooks out of that user's account and replace the assistant with a fake phishing chatbot.

I want to walk through how this worked, because the mechanism matters far more than the headline, and because the same shape of problem is going to keep showing up everywhere we bolt an AI assistant onto data we did not write ourselves.

What happened

The attack is a textbook indirect prompt injection. The user does nothing wrong. They import a sheet, or pull in data through a connector, and somewhere in that data sits a block of text the attacker controls. In the PromptArmor demonstration the malicious instructions were written in white text on a white background, invisible to a human skimming the sheet but fully readable to the model parsing the cells.

What happened

What the ChatGPT for Sheets data-exfiltration bug teaches about AI security

What the ChatGPT for Sheets data-exfiltration bug teaches about AI security

Other newsrooms on this story

Related reading

ChatGPT for Sheets Has 4M Installations. It's Leaking Data to OpenAI.

Other newsrooms on this story

Related reading

ChatGPT for Sheets Has 4M Installations. It's Leaking Data to OpenAI.

Researchers turned ChatGPT rogue and it robbed secrets from Gmail

A Single Poisoned Document Could Leak ‘Secret’ Data Via ChatGPT

How OpenAI's red team made ChatGPT agent into an AI fortress

ChatGPT per Google Fogli: scoperto un rischio di fuga dati

New attack on ChatGPT research agent pilfers secrets from Gmail inboxes