ML Security PapersExternal Data Extraction Attacks against Retrieval-Augmented Large Language Models
Yu He 1,2, Yifei Chen 1,2, Yiming Li 3, Shuo Shao 1,2, Leyi Qi 1,2, Boheng Li 3, Dacheng Tao 3, Zhan Qin 1,2
Published on arXiv
2510.02964
Sensitive Information Disclosure
OWASP LLM Top 10 — LLM06
Prompt Injection
OWASP LLM Top 10 — LLM01
Key Finding
SECRET extracts 35% of documents from RAG powered by Claude 3.7 Sonnet while all prior attacks achieve 0% extraction, demonstrating practical feasibility of knowledge-base exfiltration
SECRET
Novel technique introduced
In recent years, RAG has emerged as a key paradigm for enhancing large language models (LLMs). By integrating externally retrieved information, RAG alleviates issues like outdated knowledge and, crucially, insufficient domain expertise. While effective, RAG introduces new risks of external data extraction attacks (EDEAs), where sensitive or copyrighted data in its knowledge base may be extracted verbatim. These risks are particularly acute when RAG is used to customize specialized LLM applications with private knowledge bases. Despite initial studies exploring these risks, they often lack a formalized framework, robust attack performance, and comprehensive evaluation, leaving critical questions about real-world EDEA feasibility unanswered. In this paper, we present the first comprehensive study to formalize EDEAs against retrieval-augmented LLMs. We first formally define EDEAs and propose a unified framework decomposing their design into three components: extraction instruction, jailbreak operator, and retrieval trigger, under which prior attacks can be considered instances within our framework. Guided by this framework, we develop SECRET: a Scalable and EffeCtive exteRnal data Extraction aTtack. Specifically, SECRET incorporates (1) an adaptive optimization process using LLMs as optimizers to generate specialized jailbreak prompts for EDEAs, and (2) cluster-focused triggering, an adaptive strategy that alternates between global exploration and local exploitation to efficiently generate effective retrieval triggers. Extensive evaluations across 4 models reveal that SECRET significantly outperforms previous attacks, and is highly effective against all 16 tested RAG instances. Notably, SECRET successfully extracts 35% of the data from RAG powered by Claude 3.7 Sonnet for the first time, whereas other attacks yield 0% extraction. Our findings call for attention to this emerging threat.
Key Contributions
- First formalized framework for external data extraction attacks (EDEAs) decomposing adversarial query design into three components: extraction instruction, jailbreak operator, and retrieval trigger
- SECRET attack combining adaptive LLM-as-optimizer jailbreak generation with cluster-focused triggering that alternates global exploration and local exploitation to maximize knowledge base coverage
- Comprehensive evaluation across 16 RAG instances and 4 models (including Claude 3.7 Sonnet), achieving 35% extraction where all prior attacks yield 0%