Unsanctioned users have allegedly accessed Anthropic’s controversial Claude Mythos Preview AI frontier model although the company has limited the businesses that can use it.
The group, who have yet to be named, had apparently made many attempts to access Mythos since it debuted earlier this month. They finally gained access via a third-party vendor.
The users who accessed Mythos on the day it was announced are members of a Discord group known for searching for information about unreleased AI models.
According to the Bloomberg report, the group, using knowledge it had about a format Anthropic had used for other models, “made an educated guess about [Mythos’] online location.” One of the group told the news agency they were “interested in playing around with new models, not wreaking havoc with them.”
An Anthropic spokesperson told TechCrunch, that the company was investigating the claim, and has found no indications that the group’s activities have affected its systems.
Effectively a challenge
Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck, says Anthropic’s marketing message for Mythos was effectively a challenge, not dissimilar to a capture the flag exercise, where success includes claims of unauthorised access to Mythos.
“The unfortunate reality is that while it’s great to hear that novel cybersecurity models are being provided to select researchers to evaluate, if your team is on the outside looking in, waiting for the final report might not be top of mind. For defenders, even the spectre of unauthorised access to an adversarial model as powerful as Mythos is purported to be, only increases anxiety levels.
“What’s clear is that security leaders in organizations of all sizes should take this claim as a call to action focused on the role AI enabled cybersecurity plays in their operations and how best to scale those efforts to deal with AI enabled adversaries.”
Sharing information and experience is critical
We are in the very early days of understanding the impact of Mythos Preview, and as a security community it is critical we share information and experience on it, adds John Gallagher, Vice President of Viakoo Labs at Viakoo. “If there are rogue entities with access who are not sharing their experiences it can only be viewed negatively.”
Gallagher says there has always been an arms race between cyber defenders and cyber attackers, and Mythos is currently the most powerful armament available. “If we do not know whose hands it is in should be viewed no differently than uncontrolled distribution of enriched uranium.”
If true, he says this undermines Project Glasswing which was setup up explicitly to give cyber defenders early access to Mythos Preview in order to define and mount defences against it. “Threat actors having early access to Mythos Preview puts them on the same footing (or possibly with advantages) versus cyber defenders.
“Uncontrolled access to Mythos Preview will hit hardest on operators of critical OT, IoT, and ICS systems. Already knowing the fifty IT organisations with early access to Mythos would naturally focus threat actors on targets outside of those 50 companies, most likely non-standard operating systems that are prevalent in OT and IoT.”
Gallagher says with modern infrastructure management it seems odd that unauthorized access of Mythos Preview would go unnoticed; typically there are signs of intrusion, and access to something like Mythos Preview should be highly monitored. “This should not be ambiguous. Much more likely is that across the members of Project Glasswing that an authorized user might be subverted into providing access to threat actors.”
Likely not a significant exposure
If the model has escaped Pandora’s Box, Gallagher says there should be immediate validation and public notification of it. “Since that has not happened here, it is likely that there was not significant exposure. However, there has never been a prize as valuable to cyber criminals before as early access to Mythos Preview; it potentially can open all bank accounts and reveal all secrets. Threat actors are highly sophisticated, very well-funded, and determined. We are in a race to harden systems and have rapid patching at high scale in place before threat actors can leverage Mythos Preview; cyber defenders establishing and maintaining a lead is the highest priority.”
It didn’t require a sophisticated attack
Ram Varadarajan, CEO at Acalvio, adds that the Mythos breach didn’t require a sophisticated attack. “It just required a contractor, a URL pattern, and a Day-One guess, which means the “controlled release” model failed at its weakest link before the model’s capabilities were ever the issue. This is the supply chain problem that perimeter-centric security has always underestimated: access controls are a policy, not an architecture, and policies fail.
“Deception infrastructure is what’s needed and operates precisely in the post-breach environment. It doesn’t assume the perimeter held, it instruments the terrain inside so that when someone wanders in uninvited, their every move becomes a signal.”
The broader security implications
Nicole Carignan, Senior Vice President, Security & AI Strategy, and Field CISO at Darktrace, says while the investigation focuses on access and controls, the broader security implications are more important—and predictable. “This highlights the continued weaponisation of commercial tooling. Frontier and near‑frontier models are increasingly dual‑use by default. Capabilities designed to improve software quality and security can be repurposed with minimal friction to accelerate vulnerability discovery for malicious ends. This is not a failure of intent; it is an outcome of scale, accessibility, and capability diffusion.
Carignan believes these models will continue to be a target for threat actors to gain access to in order to achieve initial access capabilities to organisations. “More concerning is access to critical vulnerabilities that have not yet been released to the public. Possession of undisclosed, high‑severity vulnerabilities enables threat actors to facilitate more sophisticated and scaled access to organisations through exploiting an “unknown” vulnerability. This further accelerates the breakdown of threat- and vulnerability-management–centric security programs, leaving the detection of exploitation (and even attempted exploitation) as the only viable line of defence.”
She says it is also important to be realistic about containment. “This was never going to be contained to a single model, organisation, or access control failure. Threat actors do not need this system; they need a system with sufficient capability. Whether through parallel development, model leakage, fine‑tuning, or the combination of multiple weaker models and tools, similar outcomes can be achieved.
“The strategic mistake would be to treat this as an isolated incident rather than a signal. Advanced vulnerability discovery capabilities will continue to proliferate, and the window between discovery and exploitation will continue to shrink. Security teams must operate under the assumption that unknown vulnerabilities are already being found and potentially acted upon.”
A boundary failure between trusted environments
Diana Kelley, Chief Information Security Officer at Noma Security, says based on what has been made public, this doesn’t look like a compromise of Anthropic’s core systems. “It appears more like a boundary failure between trusted environments, involving a third-party access path. That’s a familiar pattern. Third-party privileges often become the weakest link in otherwise well-controlled systems, and this looks consistent with that kind of exposure.
“The stakes here scale with the asset. This isn’t just unauthorised access to data, it’s access to a capability designed to identify and potentially chain vulnerabilities. It’s a good reminder that in AI environments, controlling who can access the model, where, and under what constraints is becoming just as critical as protecting the underlying infrastructure.”
It’s not surprising, it’s inevitable
Heath Renfrow, Co-Founder and Chief Information Security Officer at Fenix24, says the incident isn’t surprising…it’s inevitable. “When a frontier model is restricted, high-value, and connected through third-party ecosystems, it becomes a target. This wasn’t a sophisticated breach of core systems; it appears to be exploitation of exposure at the edges-likely access pathways, assumptions in deployment patterns, or partner integrations.”
That distinction matters, he says. “Because it reinforces a broader reality: The modern attack surface isn’t just your infrastructure-it’s your ecosystem. Third-party access is now the weakest link. Even if Anthropic’s core environment wasn’t compromised, access through a vendor still represents a breakdown in control. This mirrors what we see in ransomware every day-attackers don’t go through the front door, they go where governance is weakest.”
Renfrow says “curiosity-driven” access is still a security failure. The claim that the group wasn’t malicious is irrelevant. Unauthorized access = loss of control. Period. “AI models introduce a new class of asset risk. Frontier models like Mythos aren’t just software-they are intellectual property, decision engines, and potential operational dependencies. That elevates the impact of even limited exposure.”
He adds that this is exactly why detection is not enough-and why the industry is still behind. Organizations rushing to adopt AI should be asking:
- If this system is compromised, can we recover it?
- If access pathways are abused, can we isolate and rebuild trust quickly?
- Do we even understand what this model is connected to?
The oldest trick in the book
Agnidipta Sarkar, Chief Evangelist at ColorTokens, says while Anthropic is investigating, the only information publicly available so far is that the attack used the oldest trick in the book, impersonating someone with existing access. “A member of a Discord group interested in unreleased AI models gained access using the credentials of a third-party contractor employee. The users reportedly guessed the model’s URL based on knowledge of Anthropic’s URL patterns for other models. The good news is that Anthropic detected the breach and contained it to that specific vendor’s environment.
“One of the key controls that every modern environment needs is micro-segmentation, which can effectively reduce the blast radius to specific vendors and leave no elbow room for attackers to navigate. I am hoping Anthropic is using similar controls to keep the attack contained, such as zero-trust mechanisms. In the end, if the target is not available, the attack does not progress.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.