Stay ahead in the age of Artificial Intelligence. Explore breakthrough AI innovations, smart tools, cybersecurity trends, and expert insights transforming the digital world.

Conceptual image representing AI technology with a woman's face and a graphic overlay symbolizing data analysis.

ChatGPT Privacy Shock: Sensitive Prompts Leaked into Google Search Console

10 November, 2025 / by Fosbite

ChatGPT privacy leak 2025 prompts appearing in Google Search Console ChatGPT GSC leak explained OpenAI data routing bug sensitive prompts leaked to site owners why are my site queries full ChatGPT prompts in Google Search Console how ChatGPT prompts ended up in Google Search Console 2025 what to do if private ChatGPT inputs show up in your GSC tokenized URL search terms hints=search parameter bug

What happened: ChatGPT prompts appearing in Google Search Console

Over the last few months I — and many site owners I talk to — started spotting something oddly specific in Google Search Console (GSC): ultra-long, highly personal queries that didn’t look like search keywords at all. Instead of tidy keyword phrases, entries were full ChatGPT prompts: relationship confessions, draft business plans, and other stuff people reasonably expected to stay private.

How the leak was discovered

Analytics researcher Jason Packer of Quantable first flagged the anomaly in a detailed blog post. He later teamed up with optimization expert Slobodan Manić and they ran a series of tests. Their working theory — and it’s worth stressing this was investigative, not an official forensic report — was this: a ChatGPT bug or misconfiguration routed user prompts into Google Search, and Google’s tokenization of certain OpenAI URLs caused those raw prompts to surface in GSC for sites that ranked for pieces of that URL.

Why this is different — and worse — than earlier exposure incidents

Before, some ChatGPT chats landed in Google because users accidentally made them public (checked a box, shared a link). That leak required user action.
This incident reportedly produced prompts showing up in GSC without users intentionally sharing — meaning private inputs were visible to site owners via their analytics. That’s a different privacy failure entirely.

Technical clues: tokenized URLs and the 'hints=search' parameter

Packer and Manić noticed many of the odd queries began with a specific OpenAI path (for example, https://openai.com/index/chatgpt/). Google’s tokenizer turned that into search tokens like "openai index chatgpt" and sites ranking for those tokens began seeing the long prompts inside their GSC reports.

The probable mechanism they sketched is this: a prompt box on a ChatGPT page included a query string (notably a hints=search parameter) that instructed the model to consult the web. In the buggy flow, the full user prompt — prefixed by that URL — was apparently sent to Google as part of a search request, and then surfaced in GSC for some sites. Again: plausible, technically coherent, but not a full admission from OpenAI about exact internals.

What OpenAI and Google said

OpenAI acknowledged an issue and said it fixed a glitch that "temporarily affected how a small number of search queries were routed." Google declined to comment publicly. OpenAI didn’t confirm the exact mechanics Packer and Manić proposed, nor did it publish a clear scope estimate for how many prompts leaked — so the story still has blunt edges and unanswered questions.

Real examples and scale

In Packer’s review of a single site he found roughly 200 odd queries — everything from a stream-of-consciousness relationship prompt to an office manager’s internal announcement draft. OpenAI called the affected volume "small" but didn’t quantify. Given ChatGPT’s hundreds of millions of weekly users, even a tiny fraction matters — privacy risk magnified by scale.

Privacy implications and lingering concerns

This event raises several practical privacy and product-safety questions I’ve been chewing on:

Were prompts routed to Google only for search augmentation, or did Google receive data that could be re-used? Packer’s tests suggest prompts that required current-event info triggered web searches that exposed raw prompts to Google — but OpenAI hasn’t clarified whether that data could be used beyond a one-off search call (training, indexing, etc.).
Can affected prompts be removed from Google Search Console? Unlike prior incidents where OpenAI removed publicly indexed chats, prompts appearing inside someone else’s GSC don’t have a neat user-facing takedown path. That complicates remediation for people who pasted confidential details into ChatGPT.
How widespread was the bug? Was it isolated to a specific ChatGPT page or endpoint, or more systemic across product flows? We still don’t have a clear answer.

One hypothetical example (original insight)

Picture this: a small startup founder pastes confidential financials into ChatGPT to get a tailored investor pitch. If that prompt triggered a web search and ended up showing in GSC, other site owners ranking for related tokens might suddenly see that sensitive text in their analytics — effectively exposing confidential plans without consent. I’ve worked on product teams that assumed analytics never reveal raw user inputs. Trust me: when that assumption breaks, things get messy fast.

What security and product teams should do now

If you run a site and you’ve started seeing unusually long or personal queries in your GSC, here’s a practical checklist — not exhaustive, but things that actually help:

Audit GSC queries for long strings and any entries that look like full sentences or personal details. Search for obvious OpenAI tokens (e.g., "openai index chatgpt") and patterns that match the tokenized URL behavior.
Redact and document any sensitive findings. Save screenshots, export GSC data, and notify legal/privacy teams right away — evidence matters if you need to escalate.
Monitor impression/click anomalies — researchers have called this a "crocodile mouth" pattern: big spikes in impressions with falling clicks. It’s a sign something odd is being tokenized or surfaced.
Follow vendor comms from OpenAI and Google. Push for transparency: ask whether prompts were retained, whether they reached Google for training, and what the removal or mitigation process looks like.
Harden your own telemetry — if you operate a product that integrates web search, add guardrails so raw user inputs aren’t sent to third parties without redaction or explicit consent.

Takeaways: Lessons for users and platforms

Prompts aren’t as private as you might assume. Treat sensitive data cautiously — even in tools that feel private. If it’s confidential, don’t paste it into a conversational AI without safe-guards.
Platform fixes can be opaque. "We resolved a glitch" often lacks detail about root cause, scope, and remediation. Demand better transparency — users deserve it.
Security researchers matter. Independent analyses from people like Packer and Manić surface issues big companies might not fully disclose or even notice quickly.

Where to read more

For deeper technical context and the tests that inspired this reporting, read Packer’s write-up at (Quantable), and see related coverage tracing earlier ChatGPT indexing incidents in search results (Ars Technica).

Final thought

Bottom line: whether this was a buggy prompt box, a routing oversight, or an unfortunate side-effect of web search augmentation, the episode underlines a simple product-safety truth — integrate web search carefully when user privacy is on the line. I’ll be honest: seeing sample strings made me uneasy. Privacy slips rarely happen in isolation, and they deserve rapid, transparent fixes. If you’re a user — don’t paste your secrets. If you’re a product owner — assume someone will find the gap and make sure there’s a clear remediation plan.

Learn more about related ChatGPT vulnerabilities and prompt-exfiltration risks in our earlier coverage on prompt injection and data exfiltration.

Explore Related Articals

Moonshot AI vs GPT-5 & Claude: China AI Breakthrough 2025

12 November, 2025

Compare Moonshot AI, GPT-5, and Claude—what China’s AI breakthrough means for enterprise LLM selection, pilots, safety, and real-world ROI in 2025.

A close-up of a smartphone displaying 'GPT-5' with a robotic hand reaching towards it, symbolizing advancements in AI technology.

GPT-5 Safety Backlash: New Tests Suggest ChatGPT Upgrade Gives Riskier Answers

12 November, 2025

Independent tests show GPT-5 gave riskier self-harm answers than GPT-4o—what product teams, regulators and families should know.

Announcement graphic for ChatGPT-6 launch, featuring a timeline and key features to know.

When Will ChatGPT‑6 Launch? Timeline, Features You Must Know

11 November, 2025

Forecasted ChatGPT‑6 timeline, expected features (memory, personalization, agentic actions), and practical steps to prepare for 2026–2027.

Crowd observing server displays at a technology exhibition

Huawei’s CloudMatrix Ascend: The AI Supernode for Ultra-Large-Scale Computing

11 November, 2025

Discover Huawei CloudMatrix Ascend — an AI supernode with Ascend 910C NPUs, Kunpeng CPUs and next-gen SSDs for ultra-large-scale AI computing.

Google Discover’s AI Summaries Are Squeezing Publisher Traffic 2025

10 November, 2025

Google Discover AI summaries are cutting clicks and ad revenue. Read how publishers can recover traffic with first-party data and new engagement plays.