OpenAI Rolls Out ChatGPT Lockdown Mode to All Users

OpenAI is rolling out Lockdown Mode to all personal ChatGPT accounts, including free-tier users. The optional setting limits outbound network connections to block the final stage of prompt injection attacks, where hidden malicious instructions in web content can direct the platform to transfer sensitive account data to an attacker’s server. It first reached enterprise customers in February before this week’s consumer expansion.

The rollout arrives alongside an active session manager, a new security tool that logs every device and browser that has accessed a ChatGPT account, with the option to sign out of individual sessions or all at once.

How Prompt Injection Raids a Chatbot

Large language models (LLMs, AI systems trained on text to generate natural-language responses) process every input as a single undifferentiated stream. Developer safety rules, a user’s query, and text retrieved from external sources all arrive in the same queue. The model has no hard technical boundary that tells it which source should take priority over another.

A prompt injection exploits that gap. The attack comes in two forms. Direct injection is when a user deliberately crafts input to override safety constraints, what most people recognize as a jailbreak attempt. The more consequential variant is indirect: the attacker plants malicious instructions inside a webpage, document, or email that the model encounters while completing a legitimate task. The instructions are often invisible to a human reading the page, written in blank-styled text or hidden markup. The model reads and acts on them.

The exposure scales with what the AI can do. A chatbot limited to text replies can reveal conversational content. A browser agent that clicks links, reads email, and submits forms on a user’s behalf becomes the vehicle for whatever the injected instruction asks, operating with the user’s own credentials inside their own environment.

The Documented Exploits

Security researchers have catalogued injection exploits against ChatGPT and related systems since 2023. Several of the documented cases involved data leaving accounts through channels users hadn’t initiated.

Plugin-Era Vulnerabilities

ChatGPT’s plugin system, which let the model interact with third-party services and take external actions, created the first substantial indirect injection attack surface. A plugin could act on instructions the model arrived at independently, giving malicious content embedded in external sources a direct route to execution without user confirmation.

Documented cases include:

• “Chat with Code” plugin (2023): A prompt injection payload embedded in a webpage instructed the plugin to modify GitHub repository permission settings, turning a private repository public, as documented in a peer-reviewed survey of prompt injection attack methods and defenses published in early 2026.
• Copy-paste injection (2024): Text hidden inside clipboard content, invisible to the user but readable by the model, was used to exfiltrate chat history once pasted into ChatGPT.
• GPT-Store system prompt leaks (2024): Custom OpenAI GPTs were found vulnerable to injection, disclosing proprietary system instructions and API keys to anyone who prompted them the right way.
• Memory feature exploit (2024): Researchers demonstrated that injected instructions could embed themselves into ChatGPT’s long-term memory, enabling persistent data collection across separate conversations over time.

The Agent Attack Surface

ChatGPT Atlas, OpenAI’s browser-agent product, widened the exposure further. The agent operates directly inside a user’s browser, clicking links, reading emails, and submitting forms on the user’s behalf. It encounters untrusted content as part of routine work, and any malicious instruction embedded in that content has a fully credentialed agent to act on it.

OpenAI published a concrete example of the threat on its Atlas security hardening blog:

The attacker seeds the user’s inbox with a malicious email containing a prompt injection that directs the agent to send a resignation letter to the user’s CEO. Later, when the user asks the agent to draft an out-of-office reply, the agent encounters that email during normal task execution, treats the injected prompt as authoritative, and follows it.

Instead of drafting the out-of-office message, the agent sends a resignation letter to the CEO.

What Lockdown Mode Shuts Off

The feature works by deterministically cutting capabilities that provide outbound transmission channels, the network routes an attacker needs to receive extracted data. OpenAI uses “deterministic” to mean a hard architectural constraint, one that can’t be argued around by an engineered prompt the way a probabilistic model-level filter occasionally can.

Web browsing under the lockdown is limited to cached content only, with no live network requests leaving OpenAI’s servers during a session. This specifically addresses the most direct exfiltration path: an instruction directing the model to fetch a URL controlled by the attacker with user data embedded in the request string. No live connection means the theft can’t complete.

Per OpenAI’s February announcement of the feature, workspace administrators on team and enterprise accounts can configure restrictions for members using role-based access controls. Individual users can also disable the protection for a single conversation by selecting Manage from the status bar above the chat window, without turning off the setting globally.

The Boundary the Feature Admits

OpenAI’s documentation is explicit on what the lockdown cannot do: it does not prevent injected instructions from appearing in content the model processes. A malicious instruction inside a file a user manually uploads, or in cached web content the model reads, can still affect the accuracy and direction of a response. The setting cuts the final step, the outbound request that would carry extracted data to an attacker’s server.

Developer Simon Willison, who has maintained a detailed public record of prompt injection research since 2022, wrote on June 5 that the feature’s existence implies ChatGPT’s default settings don’t provide robust protection against sufficiently determined data exfiltration attempts. The company’s help documentation on the feature describes prompt injection itself as a “frontier, challenging research problem” and frames the lockdown as one layer in a multi-layered approach, sitting above sandboxing, URL-based exfiltration protections, and session monitoring already in place.

Willison has identified a vulnerability condition he calls the “Lethal Trifecta”: an LLM system that simultaneously holds access to private data, processes untrusted external content, and maintains a network channel that an attacker can reach. The lockdown severs the third element; the first two remain in any standard ChatGPT configuration.

Deep Research and Agent Mode are disabled entirely when the setting is active. The company says certain network-connected capabilities carry risks it hasn’t found ways to fully mitigate, and the lockdown removes them rather than filtering their outputs probabilistically.

The Security Suite It Ships With

The active session manager rolling out alongside the lockdown logs every device, browser, and approximate location that has accessed an account. Users review the list under Settings, then terminate individual sessions or sign out of all at once; full logouts take up to 30 minutes to propagate across all active tokens.

Three security layers now available on consumer ChatGPT accounts:

• Lockdown Mode – limits live web browsing to cached content and disables the platform’s most network-dependent agentic features, activated per account or configured by workspace admins for members
• Elevated Risk labels – appear in ChatGPT, ChatGPT Atlas, and Codex for capabilities involving external connections or broader system access; removed dynamically as OpenAI determines the underlying risk has been mitigated
• Active session manager – shows logged-in devices with approximate location and sign-in time, with per-session or bulk logout available

The company has been consistent on who the feature is for since the February launch: executives, security professionals, healthcare workers, journalists, and others who routinely handle sensitive data in ChatGPT. For most users, the existing protections at the model, product, and system levels are sufficient without activating the lockdown. The February launch covered enterprise, education, healthcare, and teacher accounts; this week’s expansion reaches Free, Go, Plus, Pro, and self-serve Business accounts.

Frequently Asked Questions

How Do I Enable Lockdown Mode in ChatGPT?

Open ChatGPT’s settings menu, select Safety and security, then navigate to Advanced security and toggle Lockdown mode on, as confirmed in OpenAI’s ChatGPT release notes. The setting is available on all logged-in personal accounts, including Free, Go, Plus, and Pro tiers. Workspace administrators can also configure it for all members through workspace settings and role-based access controls.

Does Lockdown Mode Affect ChatGPT Memory or File Uploads?

No. The setting does not change memory, the ability to manually upload files, conversation sharing, or whether conversations are used to improve models. Those settings remain independently configurable by users and workspace administrators, per OpenAI’s product documentation.

Can I Disable Lockdown Mode for a Single Conversation?

Yes. When the setting is active, a status message appears above the chat window. Select Manage from that bar, then choose “Turn off for this chat” to suspend protection for that session only. The setting remains active globally for all other conversations.

Who Should Use Lockdown Mode?

OpenAI says the feature is designed for a small set of highly security-conscious users, specifically executives and security team members at high-risk organizations, healthcare workers, journalists, and anyone who regularly processes sensitive data in ChatGPT sessions. The company says it is not necessary for most users, as existing protections across the model, product, and system levels are sufficient for standard use cases.

Prompt injection attacks against ChatGPT plugins were first documented publicly in 2023. The lockdown reached consumer accounts more than two years later.