Dropbox discovers and discloses repeated-token training data extraction vulnerability in GPT-3.5 and GPT-4
OpenAI's GPT-3.5 and GPT-4 models were vulnerable to divergence attacks triggered by repeated token sequences, allowing extraction of memorized training data including PII and sensitive information. After OpenAI deployed an initial mitigation filtering single-token repeats, multi-token repeat sequences still allowed exploitation of the same vulnerability.
OpenAI's initial filtering defense focused exclusively on single-token repetitions (reflecting the emphasis of the Scalable Extraction paper), leaving multi-token repeat sequences able to induce the same model divergence and training data extraction from both GPT-3.5 and GPT-4.
After Dropbox's responsible disclosure in January 2024, OpenAI confirmed the training data extraction vulnerabilities and patched them by extending filtering to block multi-token repeat prompts and adding a server-side timeout for long-running requests.
Frequently asked questions
What did this team achieve with this AI workflow?
After Dropbox's responsible disclosure in January 2024, OpenAI confirmed the training data extraction vulnerabilities and patched them by extending filtering to block multi-token repeat prompts and adding a server-sid…
What tools did this team use?
GPT-3.5, GPT-4, Python, Langchain.
What results were reported?
sequential matching tokens in GPT-3.5 training data extraction: over 100 sequential cl100k_base tokens; GPT-4 streaming response tokens before timeout: over 10,700 tokens; non-streaming GPT-4 request timeout duration: ten minutes; estimated full GPT-4 long-running request duration: thirty minutes (source-reported, not independently verified).
What failed first in this deployment?
OpenAI's initial filtering defense focused exclusively on single-token repetitions (reflecting the emphasis of the Scalable Extraction paper), leaving multi-token repeat sequences able to induce the same model diverge…
How is this compliance monitoring AI workflow structured?
Internal AI security review → Repeated multi-token divergence attack → Training data match validation → GPT-4 memorized passage extraction → Responsible disclosure to OpenAI → Remediation and research publication.