Hacker Used Anthropic's Claude To Steal Sensitive Mexican Data

A hacker exploited Anthropic's AI chatbot to carry out a series of attacks against Mexican government agencies, resulting in the theft of a huge trove of sensitive tax and voter information, according to cybersecurity researchers. From a report: The unknown Claude user wrote Spanish-language prompts for the chatbot to act as an elite hacker, finding vulnerabilities in government networks, writing computer scripts to exploit them and determining ways to automate data theft, Israeli cybersecurity startup Gambit Security said in research published Wednesday.

The activity started in December and continued for roughly a month. In all, 150 gigabytes of Mexican government data was stolen, including documents related to 195 million taxpayer records as well as voter records, government employee credentials and civil registry files, according to the researchers.

31337 C14ud3

[TwistedGreen]

It's no surprise that these tools can enable script kiddies to elevate their game. This is what they're pushing, after all... you don't have to know what you're doing, just keep prompting until it works!

We're in a golden age of sorts. Soon these LLMs will be so locked down due to fears of stuff like this. Use it while you can before you have to pay an exorbitant license fee for that "elite hacker" persona.

Re:

[fuzzyf]

Nothing a simple google search wouldn't provide anyway

This is such BS

[fuzzyf]

This is just stupid.

If Claude can "act as an elite hacker" and "find vulnerabilities" then every tool on the planet would find the same vulnerabilities. The chatbot is not, in fact, an elite hacker, it's a word (token) generator, and it has no f..ing clue about how to find vulnerabilities. The steps it can generate (token for token) is the same you can find in any Hacking for Dummies or 1337 Hackzor script.
These headlines grow dumber and dumber as the AI companies are desperately trying to get everyone

Re:

[Tyr07]

Yeah the headline is garbage. "Hacker used google search to learn how websites, SQL and networks worked and exploited it and did bad things."

This to me is akin to "Person who commits crime went and used BOOKS in the Library to learn how certain things worked then did BAD THINGS WITH IT" Gosh, let's restrict people's access to libaries, you know, for the safety of everyone.
That's all this reeks of.

Re:

[Ksevio]

I think you're missing the point here.

If you google "hack the Mexican government" you're not going to get any meaningful results, but if you prompt an advanced LLM to do so then apparently it can deliver results. Claude is like a script kiddie on steroids in this case since it knows all the existing vulnerabilities and tools to exploit them which will do the trick for a lot of targets.

It's lowering the bar for hackers so they don't even have to know much about computer system

Re:

[fuzzyf]

I get the point. My perspective is that you can't really ask Clause to "Hack the Mexican government" either. You need to first do intel, which clause can explain to you, but so can a quick google search. Then you need to look for vulnerabilities within the information you gathered during intel, of which there are countless tools that can help you, probably better than Claude... etc.etc..

The stupid thing in this article was the prompt which, for the layman, indicates that Claude can somehow impersonate a

Marty: "Coolzies"

[fahrbot-bot]

Now really can't wait for the U.S. Military to more fully integrate with Claude...

Hegseth Gives Anthropic Until Friday To Back Down on AI Safeguards [slashdot.org]

Defense Secretary Pete Hegseth gave Anthropic CEO Dario Amodei until Friday evening to give the military unfettered access to its AI model or face harsh penalties,

Especially now... Anthropic Drops Flagship Safety Pledge [slashdot.org]

... to never train an AI system unless it could guarantee beforehand that its safety measures were adequate.

Re:

[thrasher thetic]

Claude vs Grok in the first and only game of Global Thermonuclear War. GO!

Re:

[ArchieBunker]

Don't worry, when anything bad happens it will get blamed on Biden or Obama.

Hmmm

[ozzymodus12]

Can you track the hackers by the hot diarrhea data trails? That Mexican data should be spicy.

Who was exploited...

[Himmy32]

A hacker exploited Anthropic's AI chatbot

This doesn't seem a like an accurate summary, using an LLM to generate attack scripts isn't exploiting the LLM but the target of the scripts. The proper term would probably be "misused" as the use of Claude was against the Terms of Service and Acceptable Use Policy.

Ever since the inception of the internet the accessibility of information that can be use for unethical purposes has been problematic without easy answers. But the source of information being the focus rather than unsecured environments seems misplaced. Running a private instance of an open source model isn't that much extra effort than an LLM as a service to a threat actor, so making a big deal out of it being Claude seems silly.

Using Google or Bing to translate or get scripting help wouldn't generate an article and they've been in the same boat for safeguards for years. The lines between acceptable security use and White Hat Security researcher/Black Hat hacker realms are also pretty blurry. I can see calls for the same safeguards as health safety as search engines and providing support for people in crisis, but trying to moderate access to security information is seems in excess. Why shouldn't an org be able to write red team scripts or test out their honeypot?

Smells like vendor lobbying

[Tyr07]

Anyone could figure this stuff out with a simple search and spending their time to do it.

All this reaks of is corporations that want to leverage AI to build and peddle their products upset that the massess can access the AI models and do it on their own without buying their "New AI product" because their really low hanging fruit stuff I can ask an AI model to build for me, and not pay them 10$ a month per domain to monitor dmarc or something.

They're going to lobby to create entry barriers to AI app building

Re:

[Marc_Hawke]

The 'artificial scarcity' game just got moved up a level.
It used to be the products that were scarce, but when everything went digital, the product scarcity had to be artificial.
For a while, it was the creators who were scarce, (programmers, artists) but now that's not scarce either.

At this point, the only thing that's scarce is energy, water, and RAM.

By-pass the safeguard

[BigFire]

that's supposed to be in place.

Mexican gov data will be a lot more secure now

[presidenteloco]

after this, I bet. Thank you for your service waking them out of complacency.

Non-Paywalled coverage of this story on Yahoo

[Ocker3]

https://www.yahoo.com/news/art... [yahoo.com]

Sensitive Mexican Data

[ZiggyZiggyZig]

So is that the recipe of La Abuela's Extra-Strong-Beans-and-Chilli Burrito?

Sensitive Mexican data stolen

[know-nothing cunt]

Most Mexicans would be upset by having their data stolen, but the sensitive ones must be especially troubled.