A security researcher has demonstrated how a malicious Google Calendar invite can prompt-inject ChatGPT and coax it into leaking private emails once Google connectors are enabled. In a post onX, on September 12, Eito Miyamura outlines a simple scenario: An attacker sends a calendar invitation seeded with instructions and waits for the target to engage with ChatGPT and ask it to perform an action. ChatGPT then reads the booby-trapped event and follows orders to search Gmail and follow sensitive details. “All you need? The victim’s email address,” Miyamura claims.
In mid-August, OpenAI introduced native Gmail, Google Calendar, and Google Contacts connectors in ChatGPT, initially to Pro users and subsequently to Plus, with release notes stating that the assistant can automatically reference these sources in chat after authorization. That means a casual, “What’s on my calendar today?” can pull data directly from your Google account without you explicitly choosing a source each time.
We got ChatGPT to leak your private email data 💀💀All you need? The victim's email address. ⛓️💥🚩📧On Wednesday, @OpenAI added full support for MCP (Model Context Protocol) tools in ChatGPT. Allowing ChatGPT to connect and read your Gmail, Calendar, Sharepoint, Notion,… pic.twitter.com/E5VuhZp2u2September 12, 2025
What’s happening under the hood is indirect prompt injection. The attacker’s instructions are hidden inside data that the assistant is allowed to read — in this case, the text of a calendar event. In August, researchers demonstrated how a compromised invite could steer Google’s Gemini into controlling smart-home devices and leaking information, work that has since been documented in both security write-ups and a paper titled “Invitation Is All You Need.” The technicalities differ by platform, but the core risk is the same once an assistant is permitted to read compromised calendar content.
Ultimately, nothing happens unless you first connect Gmail and Calendar inside ChatGPT, and the assistant’s behavior still depends on the policies and prompts OpenAI applies when it ingests third-party content. Documentation also notes that you can disconnect sources or disable automatic use, which limits opportunities for a compromised event to influence a routine chat.
If you’re concerned, the most effective fix is on the Google side. Change Google Calendar’s “Automatically add invitations” setting so only invitations from known senders or those you accept appear on your calendar, and consider hiding declined events. Google’s support pages walk through those options in detail, and Google Workspace administrators can set safer defaults organization-wide.
The broader takeaway from this isn’t that ChatGPT or Gmail has been “hacked,” but that tool-using AI is unusually susceptible to hostile instructions lurking in the data you let it read. The connectors that make these assistants somewhat useful also expand the attack surface to calendars and inboxes. Until the industry ships stronger, default-on defenses against indirect prompt injection, the safest course of action is to be conservative about which accounts you connect and, in this specific scenario, lock down your calendar so strangers cannot plant surprises.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button!
