Full Report
Plus: Spy firms tap into a global telecom weakness to track targets, 500,000 UK health records go up for sale on Alibaba, Apple patches a revealing notification bug, and more.
Analysis Summary
# Incident Report: Unauthorized Access to Anthropic’s Mythos AI
## Executive Summary
Amateur researchers on Discord gained unauthorized access to Anthropic’s highly restricted "Mythos Preview" AI model and other unreleased tools. The breach was achieved through open-source intelligence (OSINT) gathered from a third-party data breach and improper permission configurations. While the attackers reportedly only used the model for benign purposes, the incident highlights the risks of supply chain vulnerabilities and predictable infrastructure naming conventions in the AI industry.
## Incident Details
- **Discovery Date:** April 21, 2026 (Reported by Bloomberg)
- **Incident Date:** Late 2025 - Early 2026 (Following the Mercor breach)
- **Affected Organization:** Anthropic
- **Sector:** Artificial Intelligence / Technology
- **Geography:** Global / Distributed (Discord-based actors)
## Timeline of Events
### Initial Access
- **Date/Time:** Circa April 2026
- **Vector:** Exploitation of leaked data and predictable URL structures.
- **Details:** The actors analyzed leaked data from a breach at **Mercor** (an AI training startup and Anthropic contractor). They utilized knowledge of Anthropic’s internal naming conventions to "guess" the web URL location of the highly restricted Mythos model.
### Lateral Movement
- The attackers leveraged existing valid permissions they held to access other Anthropic models—granted due to their employment/contracting roles with an Anthropic partner firm—to pivot and probe for the unreleased Mythos model.
### Data Exfiltration/Impact
- Unauthorized users gained full functional access to "Mythos Preview" and other unreleased AI models. No internal database exfiltration was reported; rather, the "theft" was the unauthorized compute and use of proprietary, restricted intellectual property.
### Detection & Response
- **How it was discovered:** Reports surfaced via Bloomberg and external security researchers tracking Discord communities.
- **Response actions taken:** Anthropic restricted access once notified; partner firm Mercor’s data breach was investigated to determine the extent of the leaked documentation.
## Attack Methodology
- **Initial Access:** Valid accounts (via a contractor) and OSINT from a third-party breach.
- **Persistence:** Utilization of legitimate contractor credentials.
- **Privilege Escalation:** Exploiting broad permission sets that failed to implement "Least Privilege" for unreleased models.
- **Defense Evasion:** Attackers purposefully used the AI for "simple" tasks (building basic websites) to avoid triggering anomaly detection or usage spikes that would alert Anthropic.
- **Discovery:** Guessing URLs based on known formatting patterns (Predictable Resource Location).
- **Collection:** Interaction with proprietary AI model weights/interfaces.
- **Impact:** Unauthorized usage of highly sensitive, "dangerously capable" cybersecurity AI tools.
## Impact Assessment
- **Financial:** Minimal direct loss, though unauthorized compute costs were incurred.
- **Data Breach:** Exposure of unreleased proprietary AI models (Intellectual Property).
- **Operational:** Forced a review of contractor access levels and model deployment security.
- **Reputational:** High; Mythos was marketed as "carefully restricted" due to its power, yet was accessed by "amateur sleuths."
## Indicators of Compromise
- **Network indicators:** Access to hxxps[://]anthropic[.]com/model-path-previews (conceptual defanged example).
- **Behavioral indicators:** Unusual access patterns from contractor-associated credentials to unlisted or restricted model endpoints.
## Response Actions
- **Containment:** Revocation of the specific access tokens/credentials used.
- **Eradication:** Rotation of internal environment URLs and model endpoints.
- **Recovery:** Hardening of the API gateway and model-access permissions.
## Lessons Learned
- **Predictable Infrastructure:** Using consistent naming conventions for restricted assets allows attackers to "guess" locations (IDOR/Predictable Resource Location).
- **Contractor Risk:** Third-party vendors (like Mercor) are often the "weak link" in the security perimeter of major AI labs.
- **Permission Bloat:** Legitimate access to one model should not automatically grant the ability to probe or access others.
## Recommendations
- **Zero Trust Architecture:** Implement strict identity-based access controls for all model endpoints.
- **URL Obfuscation:** Use non-predictable, high-entropy strings for unreleased model endpoints/URLs.
- **Vendor Risk Management:** Mandate stricter data handling and breach notification protocols for data-labeling and training contractors.
- **Anomaly Detection:** Monitor for "low and slow" usage of restricted models that might indicate unauthorized but cautious usage.