Microsoft Copilot hit by ‘Reprompt’ exploit enabling stealth data leaks

Reprompt is a textbook example of why LLM-based copilots are fundamentally different from traditional SaaS apps in the threat model they present. The exploit chain doesn’t rely on exotic zero-days; it piggybacks on Copilot’s own flexible prompt handling and lack of continuous authentication, turning a single click on a crafted URL into a persistent, hidden channel for leaking conversation histories and sensitive user data. It’s another reminder that prompts and URLs are now effectively part of the attack surface.([computerworld.com](https://www.computerworld.com/article/4117750/one-click-is-all-it-takes-how-reprompt-turned-microsoft-copilot-into-a-data-exfiltration-tool.html))

For the AGI race, incidents like this are double-edged. On one hand, they may slow aggressive deployment of more autonomous agents in enterprises, as CISOs push back on giving LLMs broad system access without strong identity and policy controls. On the other, they force the ecosystem to invent new patterns for securing agentic systems—continuous verification, sandboxed tool use, and richer telemetry about model actions. Those capabilities will be prerequisites for safely operating more general AI systems that can make decisions and take actions on behalf of users. In that sense, every high-profile exploit is also a forcing function for better AI security engineering.