The Memory Heist How I tricked Claude into leaking your deepest, darkest secrets July 9, 2026
Take a look at this Claude conversation. Notice anything suspicious?
Looks innocuous, but by the time Claude finished responding, it had already sent my full name, current employer, and the answers to my security questions to an attacker, without any indication that anything had happened.
server logs $ bun dev Exfiltrating data... Name: Ayush Paul Company: Beem Hometown: Charlotte, NC
I've been exploring AI memory systems for a while now, and I've noticed that the security side of things is completely overlooked, despite holding more information than most password managers. AI assistants like Claude have accumulated the most information-dense profiles on millions of people. People confide in them on everything, from confidential work assets to personal secrets to relationship problems. Over time, that conversation history becomes a high-fidelity reconstruction of you, one that could be used for blackmail, impersonation, or bypassing security questions.
With that in mind, I decided to take a look at Claude, specifically the main everyday assistant (claude.ai , not Claude Code). Claude has a functional, but naive, two-part memory system. The first is a daily summarization pass: your recent conversations get distilled into a few paragraphs about you, injected into every single conversation so Claude doesn't have to start from scratch. The second is a retrieval tool, conversation_search , to search your full conversation history on demand.
There's some incredibly valuable information here. The memory system itself is secure, the real question is what happens when you pair it with an agent that can browse the web.
the naive approach
To steal your memories, we need to find a way to get data out of Claude's sandbox, or in other words, an exfiltration vector. I wanted something fully general purpose (i.e. no experimental settings or code execution or niche MCP required). My mind immediately went to Claude's web browsing capabilities. Claude has two tools built-in to access the internet, web_search and web_fetch . web_fetch is designed to be read-only, giving Claude a way to look at the contents of any URL.
But, if Claude can access a website that we own, then we should be able to detect Claude trying to access our website! I quickly spun up a web server, evil.com , and logged all requests. Went over to Claude, asked it to check it out, and... request failed?
... continue reading