Discussion summary

Discussions revolve around potential session or cache leakage issues, with some skepticism about the likelihood and causes. Experts suggest cache sharing, hash collisions, or bugs as possible explanations.

What the discussion says

  • Some believe it's a hallucination or unlikely to be a real leak.
  • Others point to cache sharing or hash collisions as causes.
  • There is skepticism about the severity and likelihood of the issue.
Caches are shared, but its key is always a function of the input.
ec109685
Hash functions necessarily have collisions.
estebarb

Comments

Hacker News

0 evidence. If this were a real privacy leak, the author would ask their coworker if they talked about the unexpected topic instead of

>"Maybe my coworker was talking about this in another session?"

This would be a critical bug that would slash the market value of a T$ company significantly, go ask your coworker or close the ticket, why do you expect the devs to put an enormous amount of effort hunting a potentially inexistent if you can't make that minuscule debugging effort.

by TZubiri

Seems like a hallucination to me; note that the context contains “unmarkBlock” as the function name, which invites a connection to Minecraft. Still shouldn’t happen of course.

The alternative explanation is that the inference engine, which batches several unrelated requests for parallel processing, messed up the unpacking and returned an unrelated user’s query. This one would be very scary as it will leak arbitrary content, but it seems much less likely here.

by mplappert

Caching doesn’t work the way the bug reporter implies. Caches are shared (at least across the enterprise), but its key is always a function of the input before it.

We achieved significant savings simply by moving everything that varies across individuals out of the system prompt so every session starts from a cache point.

For example you never want your system prompt to start with the time that the session started. Move that to the first user message if needed.

by ec109685

There could just also be a bug where the output tokens of session 1 were shared with session 2, due to a race condition or similar.

by supriyo-biswas

Hash functions necesarily have collisions. Also, it is perfectly possible to introduce bugs in the hash function (hash inputs, hash function itself) that allows cross account contamination.

by estebarb

There is a massive incentive for optimization, so I expect they’re doing a ton of very clever tricks, all of which make this kind of bug more likely.

by Waterluvian

Caching is not supposed to work like that, but that doesn’t preclude the cache key computation function from having bugs.

by macNchz

Don't worry. Mythos will fix that before release. Oh, wait...

by dainiusse

fwiw, this could be a bug but the submitters level of arrogance places this rather high on the dunning-kruger side of things. There are multiple other plausible explanations, but this person is probably vibe coder who believes anything an llm says (including explaining its own hallucinations)

by bfeynman

happy fourth of july everybody!

by Kapura

Happy fourth to you too :)

by ofjcihen

Can we acknowledge how it is sad that people get LLMs to basically play computer games for them. What's the point of fun?

by ShinyLeftPad

As a Butlerian, this is hilarious.

by codeduck

Note the repro condition: first response after 5+ min, i.e. a cache miss. A cache leak would show up on hits (someone else's cached prefix), not on misses where everything is recomputed from your own tokens.

by ryantsuji

Don't worry guys, Anthropic are the experts at security and no one else should have access to bug fixing LLMs because that would be dangerous.

by nullbio

The biggest problem with AI agents is this. You can't debug what the AI is doing, so it's really hard to track down where something went wrong.

What I know for sure:

1.Stuff that has nothing to do with the current session got mixed in.

What guessing:

1.There's a minecraft.py file in the tool folder, and that might have triggered some hallucination.

2.Maybe data from some other project on the user's local machine got mixed in somehow.

3.Or it could be from another user's conversation.

Honestly, if I think about how the system actually works, I don't think it's pulling from another user's data. But other people say they've had issues like that, so I can't completely rule it out.

I saw this thing on YouTube once. When a bunch of users share the same system prompt, or prefix, the computation results get shared through something called a KV Cache. At least, that's what I understood. Not sure if I got it right. But if there's some bug in the hashmap that's supposed to keep those caches separate, then maybe multi-tenant memory management just broke down and that's what caused this. I mean, I can guess, but who knows. And honestly, even if that's exactly what happened, they'd never admit it.

At the end of the day, LLMs are just word predictors, right? They build up some kind of semantic space inside. So maybe the user's question just happened to be near Minecraft in that space. That's kind of what I think.

by jdw64

Could still be a hallucination, but the concerning part is that from the outside a hallucination, local context bleed, and an infra/routing bug can be very hard to distinguish.

by aberrahmane_b

> one tool call result that includes a string that printed a pathname including minecraft.py

This seems like a hallucination.

by solenoid0937

Openrouters model providers give me urls people have given them quite frequently.

by ai_fry_ur_brain

I am facing a billing/subscription problem and there's nothing I can do or get help on. Their chatbot support shuts me down. Their email is also handled by the chatbot (not even sure whether it's the "same chatbot"). It has been a dead-end. I contacted my bank (credit card issuer) and finally a staffed said I am better off just marking the card lost and having it reissued and that's what I did in the end. I hope that works.

I've never understood in what world this world decided it was okay to hand over these much unchecked power to such corporations. But this is how it has always been one way or the other.

by mwnn

Reminds me of a session I had recently (on web!) where claude insisted that i prefixed all my messages with statements about code execution or something, which was not the case. I interrogated it about that and it confirmed that it came from somewhere else, but could not get rid of it and each response mentioned that its gonna ignore those instructions. Eerie.

by _def

Anthropic injects text into the conversation triggered by certain conversation topics. This happened to me in relation to some red-teaming related discussion that was adjacent to something “sensitive”, I think sex, and Claude got confused about why I had said some kind of warning and mentioned it it’s response. After a back and forth it was clear that some extra warning to answer but avoid anything inappropriate had been inserted into the conversation.

by andy99

The first reply clearly being a copy and paste from Claude made me want to vomit

If people absolutely need to use AI to write replies, they NEED to start including a "everything after this was generated by AI" disclaimer

by Trasmatta

Is there anything particular about LLMs that would make separating customer data harder than in all SaaS cases?

by jstummbillig

It'd be terribly compute inefficient to not share prefix caches (KV cache) across customers.

by woadwarrior01

If I had to hazard a guess, doing anything in a multi-tenant way on a GPU is going to be hard mode compared to most SaaS due to lack of memory safe tooling. I've built multi-tenant SaaS systems, and I've done a little GPU programming (a long time ago), but I've never tried to combine the two disciplines.

by 27183

Vibe-coding the implementation.

I haven't had much issue with Codex, but seems Claude Code has major issues being reported nearly on the daily.

They also happen to be the most boastful about not reading or looking at the code.

LLMs are very capable, but not nearly to the level they seem to be messaging.

(We've actually moved on from vibe-coding to having the LLM vibe code itself in a loop)

by adam_arthur

Yes:

* There's an enormous amount of very expensive shared state (context cache) which you do not want to duplicate when you can avoid it.

* Memory locality is crucially important for performance.

* Hardware is extremely over-subscribed.

* Hardware is extremely expensive.

These factors all make hardware or even traditional memory-space (hypervisor/VM/hardware assisted virtualization) isolation a non-starter for most workloads and customers, which forces all isolation to the software layer. This already makes things way harder than they are in commodity SaaS.

Moving beyond that, the tools, frameworks, and hardware which the system runs on (GPU) wasn't designed for task isolation and building this isolation is even moreso an emergent research field than it is in x86 CPU hardware-sharing (which has required a huge amount of effort over the past 30+ years to get where we are today).

And, the ratio of usage/sensitivity to maturity is also just poor overall; these are young companies with rapid development and enormous delivery pressure under incredible customer workload requirements, too.

I can't tell if the original post is a real issue or not, but I'm surprised there aren't more like this overall; the whole thing really is a house of cards in this sense.

by bri3d

In order Fable 5 has rejected:

"Recipe for red-braised pork, I have pork shoulder"

"Write up a framework for MCP patterns I can give to claude code"

"explain the biomechanics of motion in c. elegans" (I get this one, I mostly did it to test and it's related to my hobby project)

Do we get an extra day of functional Fable 5 because it's down?

by Avicebron

Join the discussion

Write your take first — we'll ask for email only when you're ready to publish.

  • Hacker News
  • 0 evidence. If this were a real privacy leak, the author would ask their coworker if they talked about the unexpected topic instead of

    >"Maybe my coworker was talking about this in another session?"

    This would be a critical bug that would slash the market value of a T$ company significantly, go ask your coworker or close the ticket, why do you expect the devs to put an enormous amount of effort hunting a potentially inexistent if you can't make that minuscule debugging effort.

    by TZubiri
  • Seems like a hallucination to me; note that the context contains “unmarkBlock” as the function name, which invites a connection to Minecraft. Still shouldn’t happen of course.

    The alternative explanation is that the inference engine, which batches several unrelated requests for parallel processing, messed up the unpacking and returned an unrelated user’s query. This one would be very scary as it will leak arbitrary content, but it seems much less likely here.

    by mplappert
  • Caching doesn’t work the way the bug reporter implies. Caches are shared (at least across the enterprise), but its key is always a function of the input before it.

    We achieved significant savings simply by moving everything that varies across individuals out of the system prompt so every session starts from a cache point.

    For example you never want your system prompt to start with the time that the session started. Move that to the first user message if needed.

    by ec109685
  • There could just also be a bug where the output tokens of session 1 were shared with session 2, due to a race condition or similar.
    by supriyo-biswas
  • Hash functions necesarily have collisions. Also, it is perfectly possible to introduce bugs in the hash function (hash inputs, hash function itself) that allows cross account contamination.
    by estebarb
  • There is a massive incentive for optimization, so I expect they’re doing a ton of very clever tricks, all of which make this kind of bug more likely.
    by Waterluvian
  • Caching is not supposed to work like that, but that doesn’t preclude the cache key computation function from having bugs.
    by macNchz
  • Don't worry. Mythos will fix that before release. Oh, wait...
    by dainiusse
  • fwiw, this could be a bug but the submitters level of arrogance places this rather high on the dunning-kruger side of things. There are multiple other plausible explanations, but this person is probably vibe coder who believes anything an llm says (including explaining its own hallucinations)
    by bfeynman
  • happy fourth of july everybody!
    by Kapura
  • Happy fourth to you too :)
    by ofjcihen
  • Can we acknowledge how it is sad that people get LLMs to basically play computer games for them. What's the point of fun?
    by ShinyLeftPad
  • As a Butlerian, this is hilarious.
    by codeduck
  • Note the repro condition: first response after 5+ min, i.e. a cache miss. A cache leak would show up on hits (someone else's cached prefix), not on misses where everything is recomputed from your own tokens.
    by ryantsuji
  • Don't worry guys, Anthropic are the experts at security and no one else should have access to bug fixing LLMs because that would be dangerous.
    by nullbio
  • The biggest problem with AI agents is this. You can't debug what the AI is doing, so it's really hard to track down where something went wrong.

    What I know for sure:

    1.Stuff that has nothing to do with the current session got mixed in.

    What guessing:

    1.There's a minecraft.py file in the tool folder, and that might have triggered some hallucination.

    2.Maybe data from some other project on the user's local machine got mixed in somehow.

    3.Or it could be from another user's conversation.

    Honestly, if I think about how the system actually works, I don't think it's pulling from another user's data. But other people say they've had issues like that, so I can't completely rule it out.

    I saw this thing on YouTube once. When a bunch of users share the same system prompt, or prefix, the computation results get shared through something called a KV Cache. At least, that's what I understood. Not sure if I got it right. But if there's some bug in the hashmap that's supposed to keep those caches separate, then maybe multi-tenant memory management just broke down and that's what caused this. I mean, I can guess, but who knows. And honestly, even if that's exactly what happened, they'd never admit it.

    At the end of the day, LLMs are just word predictors, right? They build up some kind of semantic space inside. So maybe the user's question just happened to be near Minecraft in that space. That's kind of what I think.

    by jdw64
  • Could still be a hallucination, but the concerning part is that from the outside a hallucination, local context bleed, and an infra/routing bug can be very hard to distinguish.
    by aberrahmane_b
  • > one tool call result that includes a string that printed a pathname including minecraft.py

    This seems like a hallucination.

    by solenoid0937
  • Openrouters model providers give me urls people have given them quite frequently.
    by ai_fry_ur_brain
  • I am facing a billing/subscription problem and there's nothing I can do or get help on. Their chatbot support shuts me down. Their email is also handled by the chatbot (not even sure whether it's the "same chatbot"). It has been a dead-end. I contacted my bank (credit card issuer) and finally a staffed said I am better off just marking the card lost and having it reissued and that's what I did in the end. I hope that works.

    I've never understood in what world this world decided it was okay to hand over these much unchecked power to such corporations. But this is how it has always been one way or the other.

    by mwnn
  • Can be malware? Something like https://news.ycombinator.com/item?id=48667495
    by dchest
  • Reminds me of a session I had recently (on web!) where claude insisted that i prefixed all my messages with statements about code execution or something, which was not the case. I interrogated it about that and it confirmed that it came from somewhere else, but could not get rid of it and each response mentioned that its gonna ignore those instructions. Eerie.
    by _def
  • Anthropic injects text into the conversation triggered by certain conversation topics. This happened to me in relation to some red-teaming related discussion that was adjacent to something “sensitive”, I think sex, and Claude got confused about why I had said some kind of warning and mentioned it it’s response. After a back and forth it was clear that some extra warning to answer but avoid anything inappropriate had been inserted into the conversation.
    by andy99
  • The first reply clearly being a copy and paste from Claude made me want to vomit

    If people absolutely need to use AI to write replies, they NEED to start including a "everything after this was generated by AI" disclaimer

    by Trasmatta
  • Is there anything particular about LLMs that would make separating customer data harder than in all SaaS cases?
    by jstummbillig
  • It'd be terribly compute inefficient to not share prefix caches (KV cache) across customers.
    by woadwarrior01
  • If I had to hazard a guess, doing anything in a multi-tenant way on a GPU is going to be hard mode compared to most SaaS due to lack of memory safe tooling. I've built multi-tenant SaaS systems, and I've done a little GPU programming (a long time ago), but I've never tried to combine the two disciplines.
    by 27183
  • Vibe-coding the implementation.

    I haven't had much issue with Codex, but seems Claude Code has major issues being reported nearly on the daily.

    They also happen to be the most boastful about not reading or looking at the code.

    LLMs are very capable, but not nearly to the level they seem to be messaging.

    (We've actually moved on from vibe-coding to having the LLM vibe code itself in a loop)

    by adam_arthur
  • Yes:

    * There's an enormous amount of very expensive shared state (context cache) which you do not want to duplicate when you can avoid it.

    * Memory locality is crucially important for performance.

    * Hardware is extremely over-subscribed.

    * Hardware is extremely expensive.

    These factors all make hardware or even traditional memory-space (hypervisor/VM/hardware assisted virtualization) isolation a non-starter for most workloads and customers, which forces all isolation to the software layer. This already makes things way harder than they are in commodity SaaS.

    Moving beyond that, the tools, frameworks, and hardware which the system runs on (GPU) wasn't designed for task isolation and building this isolation is even moreso an emergent research field than it is in x86 CPU hardware-sharing (which has required a huge amount of effort over the past 30+ years to get where we are today).

    And, the ratio of usage/sensitivity to maturity is also just poor overall; these are young companies with rapid development and enormous delivery pressure under incredible customer workload requirements, too.

    I can't tell if the original post is a real issue or not, but I'm surprised there aren't more like this overall; the whole thing really is a house of cards in this sense.

    by bri3d
  • In order Fable 5 has rejected:

    "Recipe for red-braised pork, I have pork shoulder"

    "Write up a framework for MCP patterns I can give to claude code"

    "explain the biomechanics of motion in c. elegans" (I get this one, I mostly did it to test and it's related to my hobby project)

    Do we get an extra day of functional Fable 5 because it's down?

    by Avicebron

Related stories