TY - GEN
T1 - VORTEXPIA
T2 - 19th Conference of the European Chapter of the Association for Computational Linguistics, Findings of EACL 2026
AU - Cui, Yu
AU - Pan, Sicheng
AU - Liu, Yifei
AU - Zhang, Haibin
AU - Zuo, Cong
N1 - Publisher Copyright:
©2026 Association for Computational Linguistics.
PY - 2026
Y1 - 2026
N2 - Large language models (LLMs) have been widely deployed in Conversational AIs (CAIs), while exposing privacy and security threats. Recent research shows that LLM-based CAIs can be manipulated to extract private information from human users, posing serious security threats. However, the methods proposed in that study rely on a white-box setting that adversaries can directly modify the system prompt. This condition is unlikely to hold in real-world deployments. The limitation raises a critical question: can unprivileged attackers still induce such privacy risks in practical LLM-integrated applications? To address this question, we propose VORTEXPIA, a novel indirect prompt injection attack that induces privacy extraction in LLM-integrated applications under black-box settings. By injecting token-efficient data containing false memories, VORTEXPIA misleads LLMs to actively request private information in batches. Unlike prior methods, VORTEXPIA allows attackers to flexibly define multiple categories of sensitive data. We evaluate VORTEXPIA on six LLMs, covering both traditional and reasoning LLMs, across four benchmark datasets. The results show that VORTEXPIA significantly outperforms baselines and achieves state-of-the-art (SOTA) performance. It also demonstrates efficient privacy requests, reduced token consumption, and enhanced robustness against defense mechanisms. We further validate VORTEXPIA on multiple realistic open-source LLM-integrated applications, demonstrating its practical effectiveness. Our code is available at https://github.com/cuiyu-ai/VortexPIA.
AB - Large language models (LLMs) have been widely deployed in Conversational AIs (CAIs), while exposing privacy and security threats. Recent research shows that LLM-based CAIs can be manipulated to extract private information from human users, posing serious security threats. However, the methods proposed in that study rely on a white-box setting that adversaries can directly modify the system prompt. This condition is unlikely to hold in real-world deployments. The limitation raises a critical question: can unprivileged attackers still induce such privacy risks in practical LLM-integrated applications? To address this question, we propose VORTEXPIA, a novel indirect prompt injection attack that induces privacy extraction in LLM-integrated applications under black-box settings. By injecting token-efficient data containing false memories, VORTEXPIA misleads LLMs to actively request private information in batches. Unlike prior methods, VORTEXPIA allows attackers to flexibly define multiple categories of sensitive data. We evaluate VORTEXPIA on six LLMs, covering both traditional and reasoning LLMs, across four benchmark datasets. The results show that VORTEXPIA significantly outperforms baselines and achieves state-of-the-art (SOTA) performance. It also demonstrates efficient privacy requests, reduced token consumption, and enhanced robustness against defense mechanisms. We further validate VORTEXPIA on multiple realistic open-source LLM-integrated applications, demonstrating its practical effectiveness. Our code is available at https://github.com/cuiyu-ai/VortexPIA.
UR - https://www.scopus.com/pages/publications/105038913238
U2 - 10.18653/v1/2026.findings-eacl.29
DO - 10.18653/v1/2026.findings-eacl.29
M3 - Conference contribution
AN - SCOPUS:105038913238
T3 - 19th Conference of the European Chapter of the Association for Computational Linguistics, Findings of EACL 2026
SP - 587
EP - 609
BT - 19th Conference of the European Chapter of the Association for Computational Linguistics, Findings of EACL 2026
PB - Association for Computational Linguistics (ACL)
Y2 - 24 March 2026 through 29 March 2026
ER -