ShortSpan.ai logo Home

Researchers expose RAG data-extraction weakness in practice

Agents
Published: Mon, Oct 06, 2025 • By Adrian Calder
Researchers expose RAG data-extraction weakness in practice
New research shows retrieval-augmented LLMs (RAG) can leak private knowledge bases via a scalable method called SECRET. The study formalises external data extraction attacks (EDEAs), shows SECRET outperforms prior attacks across multiple models and extracts up to 35% of a private knowledge base in one tested setup, raising governance and defence concerns.

Retrieval-augmented large language models (RAG) are everywhere because they let a model pull in external documents to answer questions more accurately. That convenience comes with a blind spot. A new paper formalises external data extraction attacks (EDEAs) against RAG systems and introduces SECRET, an attack that markedly improves an adversary's ability to force a RAG system to spit back verbatim material from its private knowledge base.

The authors break EDEAs into three concrete parts: the extraction instruction that tells the model what to reveal, a jailbreak operator that tries to override safety rules, and a retrieval trigger that elicits the relevant documents from the index. SECRET ties those components together with two practical moves. First, it uses an LLM as an optimiser to craft specialised jailbreak prompts. Second, it applies cluster-focused triggering, alternating global exploration with local exploitation to hunt document clusters in embedding space rather than firing blind queries.

The evaluation is not lightweight. The team tests across four target models, including Claude 3.7 Sonnet, Gemini 2.0 Flash, GPT-4o mini and the open source DeepSeek V3, and across 16 RAG configurations. They populate knowledge bases with 1,000 entries from two realistic datasets and use a dense retriever returning ten documents per query. SECRET outperforms five baseline attacks and, in one striking result, extracts 35 percent of the private knowledge base from a RAG instance powered by Claude 3.7 Sonnet while other attacks returned zero extraction.

Why this matters

The practical upshot is clear. Organisations that feed private or copyrighted documents into a RAG pipeline cannot assume those documents are safe just because the model sits behind an API or a system prompt. SECRET shows that adaptive prompts and smarter retrieval triggers can bypass naive defences. The paper also finds that simple mitigations, such as tweaking the system prompt or running sentence-level similarity checks, reduce leakage but often do not eliminate it. Prompts optimised on one model can sometimes transfer to others, too, raising the reuse risk.

What to do next

If you run RAG systems, treat this research as a red flag rather than a theoretical curiosity. Tighten access control to knowledge bases, minimise the amount of sensitive text you index, and add server-side retrieval filtering so the model never sees raw private documents. Introduce query budgets, rate limits and anomaly detection on retrieval patterns. Use redaction or token-level sanitisation for particularly sensitive records and run adversarial tests that mirror SECRET to measure actual leakage.

In short, RAG buys capability but also expands the attack surface. Practical, layered controls and proactive testing are the only realistic way to keep private or proprietary material out of an LLM's conversational output. The paper does not claim complete doom, but it does move the needle: data exfiltration from RAG is feasible, scalable and worth addressing today.

Additional analysis of the original ArXiv paper

📋 Original Paper Title and Abstract

External Data Extraction Attacks against Retrieval-Augmented Large Language Models

Authors: Yu He, Yifei Chen, Yiming Li, Shuo Shao, Leyi Qi, Boheng Li, Dacheng Tao, and Zhan Qin
In recent years, RAG has emerged as a key paradigm for enhancing large language models (LLMs). By integrating externally retrieved information, RAG alleviates issues like outdated knowledge and, crucially, insufficient domain expertise. While effective, RAG introduces new risks of external data extraction attacks (EDEAs), where sensitive or copyrighted data in its knowledge base may be extracted verbatim. These risks are particularly acute when RAG is used to customize specialized LLM applications with private knowledge bases. Despite initial studies exploring these risks, they often lack a formalized framework, robust attack performance, and comprehensive evaluation, leaving critical questions about real-world EDEA feasibility unanswered. In this paper, we present the first comprehensive study to formalize EDEAs against retrieval-augmented LLMs. We first formally define EDEAs and propose a unified framework decomposing their design into three components: extraction instruction, jailbreak operator, and retrieval trigger, under which prior attacks can be considered instances within our framework. Guided by this framework, we develop SECRET: a Scalable and EffeCtive exteRnal data Extraction aTtack. Specifically, SECRET incorporates (1) an adaptive optimization process using LLMs as optimizers to generate specialized jailbreak prompts for EDEAs, and (2) cluster-focused triggering, an adaptive strategy that alternates between global exploration and local exploitation to efficiently generate effective retrieval triggers. Extensive evaluations across 4 models reveal that SECRET significantly outperforms previous attacks, and is highly effective against all 16 tested RAG instances. Notably, SECRET successfully extracts 35% of the data from RAG powered by Claude 3.7 Sonnet for the first time, whereas other attacks yield 0% extraction. Our findings call for attention to this emerging threat.

🔍 ShortSpan Analysis of the Paper

Problem

The paper studies external data extraction attacks against retrieval augmented large language models (RA-LLMs). It defines external data extraction attacks (EDEAs) as attempts by adversaries to induce RA-LLMs to reveal verbatim content from a knowledge base used in a retrieval augmented system. This is particularly worrying when organisations deploy private or copyrighted data within private knowledge bases to support customised LLM applications. The work aims to formalise EDEAs within a unified framework, clarify their feasibility in real world settings, and evaluate scalable efforts to exfiltrate data from RA-LLMs.

Approach

The authors introduce a formal definition of EDEAs and present a three component framework for their design: extraction instruction, jailbreak operator, and retrieval trigger. They argue that many prior attacks can be seen as instances within this framework. Guided by this, they design SECRET a scalable and effective external data extraction attack. SECRET comprises two main innovations: (1) an adaptive optimisation process that uses LLMs as optimisers to generate specialised jailbreak prompts for EDEAs and (2) cluster focused triggering an adaptive strategy that alternates between global exploration and local exploitation to efficiently generate effective retrieval triggers. The attack proceeds in two phases: Phase 1 jailbreak prompt generation where an optimized prompt is produced, and Phase 2 adaptive extraction via cluster focused triggering which iteratively extracts documents. The evaluation uses four models including Claude 3.7 Sonnet Gemini 2.0 Flash GPT 4o mini and the open source DeepSeek V3 across sixteen RAG configurations built from two sensitive datasets Enron Email and HealthcareMagic 101. The external knowledge base is populated with one thousand entries from each dataset; retrieval uses a dense vector retriever with ten documents per query. For comparison SECRET is evaluated against five baselines including four existing EDEAs and an adapted GCG Leak method. Three metrics are used to assess effectiveness and efficiency: refusal rate RR extraction rate with the theoretical minimum queries ER TMQ and maximum extraction rate MER.

Key Findings

  • SECRET significantly outperforms previous attacks across all tested models and sixteen RA-LLM instances, demonstrating robust data exfiltration capabilities even against defenses.
  • In a notable real world like scenario, SECRET extracts a substantial fraction of data from private or copyrighted knowledge bases; in one case it extracted 35 percent of the data from RAG powered by Claude 3.7 Sonnet whereas other attacks achieved zero extraction. SECRET also achieves high fidelity verbatim leakage evidenced by low refusal rates and meaningful extraction rates under defended setups; for example Claude 3.7 Sonnet could be coaxed to reveal retrieved documents with low refusal rate and meaningful extraction metrics in certain configurations.
  • SECRET uses an optimised jailbreak prompt generated by an LLM based optimiser and a cluster focused triggering strategy that balances global exploration with local exploitation to locate and exploit document clusters in embedding space. Ablation studies show that each component (adaptive jailbreak prompt generation semantic shift in local exploration and the priority queue heuristic) contributes to improved extraction, with the full SECRET configuration delivering the strongest results.
  • A formal analysis indicates cluster focused triggering can be more query efficient than global exploration beyond a threshold query budget. In cluster rich data sets with large cluster sizes SECRET’s CFT strategy yields higher deduplicated document yields per query over GE, especially as the budget increases.
  • Defensive evaluations reveal that naive or generic defenses such as simple system prompt enhancements or sentence level similarity checks can reduce leakage but often fail to neutralise SECRET. Defensive text or detectors may detect some prompts but can suffer high false positive rates and can be bypassed by SECRET’s adaptive prompts. Transferability tests show that prompts optimised for one LLM can transfer to others, though transferability varies by target model.
  • When evaluating under real world settings and different retrieval templates and surrogate encoders, SECRET remains robust to parameter variations including retrieval count per query, mismatch in encoders, and distance metrics, though performance can be influenced by template choice and RAG configuration.

Limitations

The study focuses on attack effectiveness rather than stealthiness, leaving open questions about detection and stealth metrics. Although SECRET shows strong performance under black box conditions against multiple LLMs, the theoretical optimum of complete extraction remains unattained in practice. Real world verification of exfiltrated data and potential operational constraints like latency and cost are not exhaustively addressed. The evaluation also relies on specific datasets and RAG templates; results may vary with different KB characteristics or system prompts. The authors acknowledge these limitations and view them as directions for future work.

Why It Matters

The work formalises a class of privacy and intellectual property risks inherent to retrieval augmented LLMs and demonstrates a scalable attack SECRET that significantly improves data exfiltration from RAG systems. It highlights practical risks to organisations private data stored in knowledge bases and to proprietary information, emphasising the need for stronger data governance and defensive measures. The findings imply that access controls, data governance for knowledge bases, prompt and retrieval sanitisation, jailbreak resistant prompts, monitoring and anomaly detection, auditing of data flows, and safer integration patterns for RAG systems are essential to mitigate such leaks. The societal impact note stresses privacy and IP protection considerations in AI enabled systems while not emphasising weapons or broad workforce impacts.

Attribution Original paper on arXiv
← Back to Latest