ADAM: A Systematic Data Extraction Attack on Agent Memory via Adaptive Querying

Researchers have developed ADAM, a novel privacy attack that exploits vulnerabilities in Large Language Model agents' memory systems through adaptive querying, achieving up to 100% success rates in extracting sensitive information. The attack highlights critical security gaps in modern LLM-based systems that rely on memory modules and retrieval-augmented generation, underscoring the urgent need for privacy-preserving safeguards.

The emergence of ADAM represents a significant escalation in the landscape of AI security threats. As LLM agents become increasingly prevalent in enterprise and consumer applications, their reliance on persistent memory systems and knowledge bases creates new attack surfaces. The ADAM attack specifically targets these architectural features by using data distribution estimation combined with entropy-guided query optimization, enabling attackers to systematically extract sensitive information through seemingly innocuous interactions.

This research builds on growing concerns about LLM security that have accelerated over the past 18 months. Previous privacy attacks on LLM systems achieved limited success rates, leaving some security researchers hopeful that practical defenses might be feasible. ADAM's achievement of near-perfect success rates fundamentally changes this calculus, demonstrating that query-based attacks can be far more effective than previously assumed when properly optimized.

The implications extend across industries deploying LLM agents for sensitive tasks. Organizations using these systems for customer service, data analysis, or knowledge management now face quantifiable risks of data leakage. This vulnerability applies not only to proprietary business information but also personal data, medical records, and other sensitive categories stored in agent memory systems.

Looking forward, this research will likely catalyze investment in privacy-preserving machine learning techniques and drive adoption of differential privacy mechanisms within LLM frameworks. Organizations may face pressure to implement additional access controls, implement differential privacy layers, or redesign memory architectures entirely. The security community should expect similar attacks targeting other LLM vulnerabilities, creating a broader arms race between attack and defense mechanisms.

• →ADAM achieves 100% attack success rates by combining data distribution estimation with entropy-guided query strategies
• →Modern LLM agents' reliance on memory and RAG systems creates critical privacy vulnerabilities exploitable through simple queries
• →Previous privacy attacks on LLMs were far less effective, suggesting ADAM represents a meaningful advancement in attack capabilities
• →Organizations deploying LLM agents now face quantifiable risks of sensitive data extraction through benign-seeming interactions
• →The research underscores urgent need for privacy-preserving methods in production LLM systems