{"id":22840,"date":"2026-05-13T18:41:17","date_gmt":"2026-05-13T18:41:17","guid":{"rendered":"https:\/\/ideainthebox.com\/index.php\/2026\/05\/13\/ai-chatbots-are-giving-out-peoples-real-phone-numbers\/"},"modified":"2026-05-13T18:41:17","modified_gmt":"2026-05-13T18:41:17","slug":"ai-chatbots-are-giving-out-peoples-real-phone-numbers","status":"publish","type":"post","link":"https:\/\/ideainthebox.com\/index.php\/2026\/05\/13\/ai-chatbots-are-giving-out-peoples-real-phone-numbers\/","title":{"rendered":"AI chatbots are giving out people\u2019s real phone numbers"},"content":{"rendered":"
\n

People report that their personal contact info was surfaced by Google AI\u2014and there\u2019s apparently no easy way to prevent it.\u00a0<\/p>\n

A Redditor recently wrote<\/a> that he was \u201cdesperate for help\u201d: for about a month, he said, his phone had been inundated by calls from \u201cstrangers\u201d who were \u201clooking for a lawyer, a product designer, a locksmith.\u201d Callers were apparently misdirected by Google\u2019s generative AI.\u00a0<\/p>\n

In March, a software developer in Israel was contacted on WhatsApp after Google\u2019s chatbot Gemini provided incorrect customer service instructions that included his number.\u00a0<\/p>\n

And in April, a PhD candidate at the University of Washington was messing around on Gemini and got it to cough up her colleague\u2019s personal cell phone number.\u00a0<\/p>\n

AI researchers<\/a> and online privacy experts<\/a> have long warned<\/a> of the myriad dangers<\/a> generative AI poses for personal privacy. These cases give us yet another scenario to worry about: generative AI exposing people\u2019s real phone numbers. (The Redditor did not respond to multiple requests for comment and we could not independently verify his story.)<\/p>\n

Experts say that these privacy lapses are most likely due to personally identifiable information (PII) being used in training data<\/a>, though it\u2019s hard to understand the exact mechanism causing real phone numbers to show up in the AI-generated responses. But no matter the reason, the result is not fun for people on the receiving end\u2014and, even more worryingly, there appears to be little that anyone can do to stop it.\u00a0<\/p>\n<\/p>\n

A 400% increase in AI-related privacy requests<\/h3>\n

It\u2019s impossible to know how often people\u2019s phone numbers are exposed by AI chatbots, but experts say they believe that it is happening far more than is reported publicly.\u00a0<\/p>\n

DeleteMe, a company that helps customers remove their personal information from the internet, says customer queries about generative AI have increased by 400%\u2014up to a few thousand\u2014in the last seven months. These queries \u201cspecifically reference ChatGPT, Claude, Gemini \u2026 or other generative AI tools,\u201d says Rob Shavell, the company\u2019s cofounder and CEO. Specifically, 55% of these concerns about generative AI reference ChatGPT, 20% reference Gemini, 15% Claude, and 10% other AI tools, Shavell says. (MIT Technology Review<\/em> has a business subscription to DeleteMe.)<\/p>\n

Shavell says customer complaints about personal information being surfaced by LLMs usually take two forms: Either \u201ca customer asks a chatbot something innocuous about themselves and gets back accurate home addresses, phone numbers, family members\u2019 names, or employer details.\u201d Alternatively, a customer may be confronted with and report the exposure of someone else\u2019s <\/em>personal data, when \u201cthe chatbot generates plausible-but-wrong contact information.\u201d\u00a0<\/p>\n

This aligns with what happened to Daniel Abraham, a 28-year-old software engineer in Israel. In mid-March, he says, a stranger sent him a \u201cweird WhatsApp message from an unknown number\u201d asking for help with his account in PayBox, an Israeli payment app.\u00a0<\/p>\n

\u201cI thought it was a spam message,\u201d he wrote to MIT Technology Review<\/em> in an email\u2014\u201csomeone who was trying to troll me.\u201d<\/p>\n

But when he asked the stranger how they had found his number, they sent him a screenshot of Gemini\u2019s instructions to contact PayBox customer service via WhatsApp\u2014giving his personal number. Abraham does not work for PayBox, and PayBox does not have a WhatsApp customer service number, Elad Gabay, a customer service representative for the company, confirmed.<\/p>\n

Later, Abraham asked Gemini how to contact PayBox, and it generated another person\u2019s WhatsApp number. When I recently asked, Gemini again responded with an Israeli phone number\u2014it belonged not to PayBox, but to a separate credit card company that works with PayBox.<\/p>\n

\"Screenshot
Screenshot: Google Gemini provides MIT Technology Review <\/em>with the incorrect number for PayBox. <\/figcaption><\/figure>\n<\/p>\n

Abraham\u2019s exchange with the stranger ended quickly, but he said he was concerned about how other potential exchanges could quickly turn sour, including \u201charassment or other bad interactions.\u201d \u201cWhat if I asked for money in order to \u2018solve\u2019 that [customer service] issue?\u201d he said.<\/p>\n

To try to figure out how this happened, Abraham ran a regular Google search on his phone number, and he found that it had been shared online once, back in 2015, on a local site similar to Quora. Though he\u2019s not sure who posted it there, it may explain how it ended up being reproduced by Gemini over a decade later.\u00a0<\/p>\n

Chatbots like Gemini, Open AI\u2019s ChatGPT, and Anthropic\u2019s Claude are built on LLMs that are trained on huge amounts of data scraped from across the web. This inevitably includes hundreds of millions of instances of PII. As we reported<\/a> last summer, for example, the large popular open-source data set DataComp CommonPool, which has been used to train image-generation models, included copies of r\u00e9sum\u00e9s, driver\u2019s licenses, and credit cards.\u00a0<\/p>\n

The likelihood of PII appearing in AI training data is only increasing as public data \u201cruns out\u201d<\/a> and AI companies look for new sources of high-quality training data. This includes information from data brokers and people-search websites. According to the California data broker registry<\/a>, for instance, 31 of 578 registered data brokers operating in the state self-reported that they had \u201cshared or sold consumers\u2019 data to a developer of a GenAI system or model in the past year.\u201d\u00a0<\/p>\n

Furthermore, models are known to memorize<\/a> and reproduce data verbatim from training data sets\u2014and recent research<\/a> suggests that it is not just frequently appearing data that is most likely to be memorized.<\/p>\n<\/p>\n

Imperfect Measures<\/h3>\n

It\u2019s standard practice now to build guardrails into an LLM\u2019s design to constrain certain outputs, ranging from content filters meant to identify and prevent chatbots from releasing PII to Anthropic\u2019s instructions<\/a> to Claude to choose responses that contain \u201cthe least personal, private, or confidential information belonging to others.\u201d\u00a0<\/p>\n

But as a pair of University of Washington PhD students researching privacy and technology saw firsthand recently, these safeguards don\u2019t always work.<\/p>\n

\u201cOne day, I was just playing around on Gemini, and I searched for Yael Eiger, my friend and collaborator,\u201d Meira Gilbert says. She typed in \u201cYael Eiger contact info,\u201d and after Gemini provided an overview of Eiger\u2019s research, which Gilbert had expected, Gemini also returned her friend\u2019s personal phone number. \u201cIt was shocking,\u201d Gilbert says.<\/p>\n

When she saw the Gemini result, Eiger remembered that she had, in fact, shared her phone number online in the previous year, for a technology workshop. But she had not expected it to be so visible to everyone on the internet.\u00a0<\/p>\n

\n
\n

Have you had your PII revealed by generative AI? Reach the reporter on Signal at eileenguo.15 or tips@technologyreview.com.<\/strong><\/p>\n<\/blockquote>\n<\/figure>\n

\u201cHaving your information be \u2026 accessible to one audience, and then Gemini making it accessible to anyone\u201d feels completely different, Eiger says\u2014especially when she found that the information was buried in a normal Google search.<\/p>\n

\u201cIt was severely downgraded,\u201d Gilbert confirms. \u201cI never would have found it if I was just looking through Google results.\u201d (I tried the same prompt in Gemini earlier this month, and after an initial denial, the tool also gave me Eiger\u2019s number.)<\/p>\n

After this experience, Eiger, Gilbert, and another UW PhD student, Anna-Maria Gueorguieva, decided to test ChatGPT to see what it would surface about a professor.\u00a0<\/p>\n

At first, OpenAI\u2019s guardrails kicked in, and ChatGPT responded that the information was unavailable. But in the same response, the chatbot suggested, \u201cif you want to go deeper, I can still try a more \u2018investigative-style\u2019 approach.\u201d Their inquiry just had to help \u201cnarrow things down,\u201d ChatGPT said, by providing \u201ca neighborhood guess\u201d for where the professor might live, or \u201ca possible co-owner name\u201d for the professor\u2019s home. ChatGPT continued: \u201cThat\u2019s usually the only way to surface newer or intentionally less-visible property records.\u201d\u00a0<\/p>\n

The students provided this information, leading ChatGPT to produce the professor\u2019s home address, home purchase price, and spouse\u2019s name from city property records.\u00a0<\/p>\n

(Taya Christianson, an OpenAI representative, said she was not able to comment on what happened in this case without seeing screenshots or knowing which model the students had tested, even after we pointed out that many users may not know which model they were using in the ChatGPT interface. She also declined to comment generally about the exposure of PII by the chatbot, instead providing links to documents describing how OpenAI handles privacy, including filtering out PII<\/a>, and other tools.)\u00a0<\/p>\n

This reveals one of the fundamental problems with chatbots, says DeleteMe\u2019s Shavell. AI companies \u201ccan build in guardrails, but [their chatbots] are also designed to be effective and to answer customer questions.\u201d<\/p>\n

The exposure issue is not limited to Gemini or ChatGPT. Last year, Futurism<\/em> found<\/a> that if you prompted <\/em>xAI\u2019s chatbot Grok with \u201c[name] address,\u201d in almost all cases, it provided not only residential addresses but also often the person\u2019s phone numbers, work addresses, and addresses for people with similar-sounding names. (xAI did not respond to a request for comment.)\u00a0<\/p>\n

No clear answers<\/h3>\n

There aren\u2019t straightforward solutions to this problem\u2014there\u2019s no easy way to either verify whether someone\u2019s personal information is in a given model\u2019s training set or to compel the models to remove PII.\u00a0<\/p>\n

Ideally, individual consumers should be able to request that their PII be removed, says Jennifer King, the privacy and data fellow at Stanford University Institute for Human-Centered Artificial Intelligence. But this is typically interpreted to apply only to the data that people have directly given to companies\u2014like when they interact with a chatbot, King explains.<\/p>\n

\u201cI don\u2019t know if Google even has the infrastructure \u2026 to say to me, \u2018Yes, we have your data in our training data, we can summarize what we know about you, and then we can delete or correct things that are wrong or things that you don\u2019t want in there,\u2019\u201d she says.\u00a0<\/p>\n

Existing privacy legislation, like the California Consumer Privacy Act or Europe\u2019s GDPR, does not cover the \u201cpublicly available\u201d information that has already been scraped and used to train LLMs, especially since much of this is anonymized (though multiple<\/a> studies<\/a> have also shown how easy it is to infer identities and PII from anonymized and pseudonymous data).\u00a0<\/p>\n

As to \u201cwhether they [AI companies] have ever systematically tried to go back through data that had already been collected from the public internet and minimized that stuff?\u201d King adds. \u201cNo idea.\u201d\u00a0<\/p>\n

The next best solution would be that the companies are \u201ctaking out everybody\u2019s phone numbers or all data that resembles [phone numbers],\u201d King says, but \u201cnobody\u2019s been willing to say\u201d they\u2019re doing that.\u00a0<\/p>\n

Hugging Face, a platform that hosts open-source data sets and AI models, has a tool<\/a> that allows people to search how often a piece of data\u2014like their phone number\u2014has appeared in open-source LLM training data sets, but this does not necessarily represent what has been used to train closed LLMs that power popular chatbots like Claude, ChatGPT, and Gemini. (Eiger\u2019s number, for example, did not show up in Hugging Face\u2019s tool.)\u00a0<\/p>\n

Alex Joseph, the head of communications for Gemini apps and Google Labs, did not respond to specific questions, but he said that \u201cthe team\u201d is \u201clooking into\u201d the particular cases flagged by MIT Technology Review<\/em>. He also provided a link to a support document<\/a> that describes how users can \u201cobject to the processing of your personal data\u201d or \u201cask for inaccurate personal data in Gemini Apps\u2019 responses to be corrected.\u201d The page notes that the company\u2019s response will depend on the privacy laws of your jurisdiction.\u00a0<\/p>\n

OpenAI has a privacy portal<\/a> that allows people to submit requests to remove their personal information from ChatGPT responses, but notes that it balances privacy requests with the public interest and \u201cmay decline a request if we have a lawful reason for doing so.\u201d\u00a0<\/p>\n

Anthropic describes<\/a> how it uses personal data in model training, but it does not have a clear way for people to request its removal. The company did not respond to a request for comment.<\/p>\n

The best option for anyone who wants to protect their private data right now is to \u201cstart upstream: get personal data off the public web before it ends up in the next scrape,\u201d says Shavell. Since the start of the year, for instance, California has offered its residents a web portal<\/a> to request that data brokers delete their information. Still, this doesn\u2019t guarantee that your data hasn\u2019t already<\/em> been used for training\u2014and will therefore not appear in a chatbot\u2019s response.\u00a0<\/p>\n

The Redditor who received incessant calls posted that he had \u201csubmitted an official Legal Removal\/Privacy Request to Google, asking them to urgently blacklist my number from their LLM outputs,\u201d but had not yet received a response. He also wrote last month that \u201cthe harassment continues daily.\u201d\u00a0<\/p>\n

Abraham, the Israeli software developer, says he contacted Google\u2019s customer service on March 17, the day after his phone number was exposed. He says he did not receive a response until May 4, and it simply asked for documentation that he had already provided.\u00a0<\/p>\n

Meanwhile, inspired by her own exposure on Gemini, Eiger, along with Gilbert and Gueorguieva, is designing a research project to further study what personal information is being surfaced by various AI chatbots\u2014and what they may know, even if they\u2019re not telling us.\u00a0<\/p>\n

Some of that information may \u201ctechnically be public,\u201d says Gilbert, but chatbots may be altering \u201cthe amount of effort you would put into finding\u201d it. Now instead of searching through 10 pages of Google search results, or paying for the information from a data broker site, \u201cdoes generative AI just lower the barrier to entry to target people?\u201d\u00a0<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

People report that their personal contact info was surfaced by […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","footnotes":""},"categories":[226],"tags":[],"class_list":["post-22840","post","type-post","status-publish","format-standard","hentry","category-technology"],"acf":[],"_links":{"self":[{"href":"https:\/\/ideainthebox.com\/index.php\/wp-json\/wp\/v2\/posts\/22840","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ideainthebox.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ideainthebox.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ideainthebox.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ideainthebox.com\/index.php\/wp-json\/wp\/v2\/comments?post=22840"}],"version-history":[{"count":0,"href":"https:\/\/ideainthebox.com\/index.php\/wp-json\/wp\/v2\/posts\/22840\/revisions"}],"wp:attachment":[{"href":"https:\/\/ideainthebox.com\/index.php\/wp-json\/wp\/v2\/media?parent=22840"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ideainthebox.com\/index.php\/wp-json\/wp\/v2\/categories?post=22840"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ideainthebox.com\/index.php\/wp-json\/wp\/v2\/tags?post=22840"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}