Microsoft researchers have sounded the alarm on a major privacy flaw in popular AI chatbots. A new attack method, dubbed ‘Whisper Leak,’ can let spies figure out what you’re talking about with an AI, even when your conversation is fully encrypted. This vulnerability poses a serious risk to everyone, from individual users to large corporations, who trust these tools with sensitive information.

This leakage of data happens because of the way most modern AI models deliver their answers. If you’re discussing private financial details or sensitive company strategy, an attacker could be listening in—not to your exact words, but to the topic of your chat. This revelation fundamentally challenges the assumption that the padlock icon on your browser means your AI conversations are truly private.

How Your ‘Secure’ Chat Is Leaking Data

You know when you ask an AI a question, and it “types” the answer back to you word by word, instead of making you wait for the full response? That feature is called “streaming.” It’s helpful because it provides instant feedback, but according to Microsoft, this convenience comes at a high price.

Your connection to the AI is protected by encryption (like HTTPS or TLS), which is supposed to scramble the data so no one can read it. And while an attacker can’t read the content of what you’re saying, they can still see the flow of data. A cyberattacker in a position to observe your traffic—someone on the same public Wi-Fi, a malicious employee on a corporate network, or even a nation-state actor monitoring an internet service provider—can measure the size of the tiny data packets and the exact timing between them as the AI streams its response.

Microsoft’s team discovered that this pattern—the sequence of packet sizes and their timing—creates a unique “fingerprint” for different topics. An attacker can collect these patterns and use machine learning to train a ‘classifier’ tool. This tool essentially learns to match specific data fingerprints to specific topics.

Once this tool is trained, the attack is simple. The attacker just watches the encrypted traffic. Their tool can automatically flag any conversations that match the fingerprint for a sensitive subject, suchg as “money laundering,” “political dissent,” or any other topic they are monitoring.

Major AI Models Were Wide Open

This isn’t just a theory. The Microsoft security team built a proof-of-concept attack to test it against the biggest names in AI. The results were alarming.

Models from top labs like OpenAI, Mistral, Microsoft itself, and xAI were found to be extremely vulnerable. The attack tool could identify specific topics with over 98% accuracy. This means if an attacker was looking for a specific subject, they would almost never miss it.

Interestingly, models from Google and Amazon seemed to hold up better. The researchers believe this is because those models tend to “batch” or group words together before sending them, which helps muddy the data pattern and makes it harder to analyze. However, even these models were not completely immune to the attack.

The researchers warned that this threat could become even worse over time. An attacker with patience and resources could collect more training samples, use more sophisticated attack models, and analyze patterns across multiple conversations from the same user to achieve even higher success rates.

Rushing to Plug the ‘Whisper Leak’

After Microsoft responsibly shared its findings, the affected companies, including OpenAI, Mistral, and Microsoft, scrambled to deploy a fix. The solution is actually quite clever and effective.

To break the attack, the AI models now add a “random sequence of text of variable length” to their streaming responses. In simple terms, they are padding the conversation with hidden junk data or ‘noise’ into the stream. This junk data is invisible to the user, but it completely changes the size and timing patterns of the encrypted traffic. It effectively masks the ‘fingerprint’ of the real answer, making the attacker’s classifier tool useless.

While many major providers have already rolled out this fix, Microsoft still recommends that users take extra precautions. If you’re on an untrusted network, like a coffee shop’s public Wi-Fi, you should avoid discussing highly sensitive topics. For an extra layer of security, using a VPN (Virtual Private Network) can help hide your traffic from local snoopers. Users could also, in theory, switch to non-streaming models, though these are often slower and less common.

AI Safety Still Has a Long Way to Go

The ‘Whisper Leak’ attack highlights a growing problem: AI security is still in its infancy, and researchers are constantly finding new, unexpected vulnerabilities. This isn’t the only security headache for AI developers, either.

A separate, recent report from researchers at Cisco AI Defense looked at a different kind of weakness in eight open-source AI models. They tested how well these models could resist “multi-turn attacks”—basically, an attacker trying to “jailbreak” the AI’s safety rules over a long, back-and-forth conversation.

The Cisco team found that many of today’s models are “systemically unable” to keep their safety guardrails up during extended chats. It seems the longer you talk to them, the easier it is to trick them into bypassing their own rules and generating harmful content.

That study also noted a worrying trend. Models that were focused on being powerful and “capable,” like Meta’s Llama 3.3, were the easiest to trick. Models designed with safety as a top priority, like Google’s Gemma 3, performed better, though no model was perfect.

Both of these discoveries paint a clear picture. Organizations are rushing to adopt AI, but the fundamental security is still being worked out. Experts warn that without strong security checks, routine “red-teaming” (hiring people to try and break the AI), and better safety alignment, companies are taking on massive operational risks.