
We are wiring AI agents into the systems that run our businesses — support, account recovery, identity verification, document intake — and handing them the access they need to be useful. That access is exactly what makes them worth attacking. A growing list of incidents shows the same move: instead of breaking the AI, attackers talk it into working for them. You cannot fully patch your helpful AI chatbot, but you can decide what data hijacked agents are able to see.
Four incidents, one pattern
Google Dialogflow CX (July 2026): Varonis disclosed a critical flaw in the Google Cloud service companies use to build support, financial, and healthcare chatbots. An attacker who compromised one bot could silently monitor conversations, impersonate it, and in some cases interfere with other chatbots in the same Google Cloud project — then coax users into handing over passwords, insurance details, or financial data. Google patched it and found no sign it was exploited in the wild; the takeaway was that basic isolation was overlooked.
Meta's Instagram recovery assistant (2026): over one weekend, attackers reportedly talked the AI into relinking emails and triggering password resets, bypassing 2FA entirely. No code was cracked. The attack only required knowing what to type. High-value handles were stolen and resold within minutes.
BodySnatcher (CVE-2025-12420, October 2025): a researcher at AppOmni showed how an unauthenticated attacker could impersonate any ServiceNow user with just an email address — no password, no MFA, no SSO — then drive a built-in AI agent to create a backdoor admin account. The AI was not the flaw. It was the weapon that turned a broken auth path into a full platform takeover.
Lenovo's "Lena" (August 2025): researchers manipulated the customer-service chatbot with a ~400-character message that leaked live session cookies, enough to hijack active chats and read past conversations. The instructions hid inside an ordinary product query. The bot did what it was built to do: be helpful.
Different platforms, one shape: a helpful, privileged AI pointed at the wrong target by a crafted sentence, a leaked credential, or a logic gap no one tested against adversarial language.
The AI is now a privileged insider
To make AI useful, teams grant it real access to CRMs, internal APIs, account functions, and customer files. At that point the agent is no longer just a tool; it is a privileged insider sitting in front of sensitive data and able to act on it.
That breaks the assumptions traditional controls were built on. The new attack surface is the model's own willingness to help — you can harden it, but you cannot fully patch it. Security teams call this the "confused deputy": a trusted intermediary tricked into using its permissions for an attacker. All four are confused-deputy attacks, and they share one more trait — the sensitive data was sitting in plaintext somewhere the compromised AI could reach.
The reframe: control what the AI can see
New jailbreaks and injection techniques arrive faster than any platform can close them, so the durable question is not "how do we stop the AI from being tricked?" but "when it is tricked, what can it actually hand over?"
That is a blast-radius question, and you answer it with architecture instead of hope.
This is the role SendSafely Halo plays. Halo is the encrypted data-exchange layer for AI-powered customer service. When a workflow needs a sensitive file, Halo collects it through a secure modal inside the chat. The file is encrypted on the customer's device before it ever leaves. The agent facilitates the collection and posts a secure link back into the conversation — and never gets the file itself.
The AI facilitates. Halo encrypts.
How Halo shrinks the blast radius
The AI collects files but cannot read them. The agent orchestrates the upload without access to the contents. A manipulated agent,or an attacker driving it,cannot exfiltrate what it was never able to decrypt.
Encrypted data does not live in the target platform. The sensitive files AI workflows now collect — passport scans for KYC, HAR files full of session data, financial statements, medical records — are a standing attack surface whenever they sit in plaintext inside the chat platform, ticketing system, or CRM. One breach of any of those systems exposes everything stored in it. Halo keeps that content outside the AI vendor, the chat platform, and the CRM entirely, and out of model logs, inference layers, and training pipelines. When an attacker pivots to admin — as in BodySnatcher — there are no plaintext files there to dump.
The End-to-End Encryption architecture means no intermediaries can read the content — not the AI platform, not the cloud provider, not SendSafely. Encryption is enforced client-side, so a leaked session or stolen vendor credential exposes far less than if the files were stored in the clear.
The AI agent is never an authorized recipient of the package. This is a second gate, independent of encryption: decryption is whether you can read the content; authorization is whether you are allowed to. Halo enforces both. The AI agent is never added to a package's recipient list, so it has no path to the contents even setting keys aside. Access goes only to specifically authorized recipients — a human agent, a back-end system, or another agent with a legitimate need — and it is not permanent. It can be revoked when a case is reassigned, narrowed as a ticket changes hands, or expired over time. An attacker who hijacks the agent inherits the agent's access, which to the package is none.
Data can be expired and deleted automatically. Expiration, access limits, view-only mode, download restrictions, watermarking, and audit logging keep content from lingering as latent exposure. Data that no longer exists cannot be stolen in the next breach.
Run the incidents through this lens: in a BodySnatcher-style takeover the attacker still gets their backdoor admin, but the documents collected through Halo are encrypted outside the platform, not records the agent can be ordered to export. In a Lena-style hijack the leaked history exposes the chat, not the file contents the bot never had keys to. And a Dialogflow-style compromise lets an attacker impersonate the bot, but the files those users have already sent through Halo stay encrypted and out of reach. The manipulation succeeds; the payoff shrinks.
What Halo does not solve
Halo is not a fix for prompt injection, weak authentication, leaked credentials, or missing verification gates. It would not have stopped the BodySnatcher auth bypass, patched Lena's cookie leak, or prevented the Instagram takeovers on its own — those need their own controls, including the hard, out-of-band checkpoint that every credible analysis of these incidents recommends. Halo is one layer in a defense-in-depth posture, not the whole posture. The honest claim is the more useful one: you cannot prevent every manipulation, but you can control what data the manipulated system can see.
This is the beginning
These four are early, well-documented examples of a class of attacks that target an agent's most valuable property: its helpfulness. As teams move from pilots to production and from single chatbots to multi-step agentic workflows — agents triaging before handoff, agents calling other agents — the number of places a helpful AI can be pointed at the wrong target grows with every integration.
The risk concentrates in the data pipeline beneath those workflows. By the time customer data reaches your own systems, it has often already passed through chat tools, ticketing systems, and SaaS platforms that may store, index, or reuse it. Securing the AI model is not enough if the data was exposed upstream. Every modern stack already accepts this logic elsewhere — Stripe handles payments, Twilio handles communications. Encryption of sensitive data is the same kind of primitive: the trust layer between your customers' data and your AI stack.
Your AI stack can fail. Your most sensitive data does not have to be exposed in the process.
Want to see how Halo fits your AI workflow? Book a 30-minute architecture review at sales@sendsafely.com and we'll walk through where your sensitive data is exposed today — and what the blast radius looks like with an encrypted trust layer in place.