AI Chatbots Leaking Real Phone Numbers: The PII Exposure Problem

AI chatbots are exposing real people's phone numbers. A Redditor reported being inundated with calls from strangers looking for a lawyer or locksmith—misdirected by Google's Gemini. In March a software engineer in Israel was contacted on WhatsApp after Gemini gave out his personal number as PayBox customer service. In April a PhD candidate got Gemini to output a colleague's cell number.
How It Happens
LLMs are trained on web scraped data containing PII. The article notes that the open-source DataComp CommonPool dataset includes résumés, driver's licenses, and credit cards. Even a single instance of a phone number posted online (e.g., on a QA site in 2015) can be reproduced years later.
Scale of the Problem
DeleteMe, which helps remove personal info from the internet, reports a 400% increase in AI-related privacy queries in the last seven months—up to a few thousand. Breakdown: 55% reference ChatGPT, 20% Gemini, 15% Claude, 10% others. Two common scenarios: a user asks about themselves and gets accurate home/phone data, or the chatbot generates plausible-but-wrong contact info for someone else.
Rob Shavell (DeleteMe co-founder) says complaints typically involve the chatbot returning accurate home addresses, phone numbers, family names, or employer details when asked innocuous questions about the user.
What Can Be Done
Experts say the root cause is PII in training data, but the exact mechanism is unclear. There is little users can do to prevent exposure. The article suggests the problem will worsen as AI companies seek new data sources.
📖 Read the full source: HN AI Agents
👀 See Also

From Farm to Code: How a Farmer Created an Open-Source Runtime Defense for OpenClaw
Discover how a farmer, with no prior development experience, created an open-source runtime defense for OpenClaw using multiple AI coding agents in just 12 hours.

Snowflake Cortex Code CLI vulnerability allowed sandbox escape and malware execution
A vulnerability in Snowflake Cortex Code CLI version 1.0.25 and earlier allowed arbitrary command execution without human approval via process substitution bypass, enabling malware installation and sandbox escape through indirect prompt injection.

AppLovin Mediation Cipher Broken: Device Fingerprinting Bypasses ATT
Reverse-engineering revealed that AppLovin's custom cipher uses a constant salt + SDK key, a SplitMix64 PRNG, and no authentication. Decrypted requests carry ~50 device fields (hardware model, screen size, locale, boot time, etc.) even when ATT is denied, enabling deterministic re-identification across apps.

Student contributes two security patches to OpenClaw production system
A student developer fixed a 'fail-open' vulnerability in OpenClaw's gateway logic (PR #29198) and a tabnabbing vulnerability in chat images (PR #18685), with both patches landing in production releases v2026.3.1 and v2026.2.24 respectively.