ChatGPT users have gained two new security controls: one aimed at preventing data theft through prompt injection and another at tracking account sign-ins.
According to OpenAI, the first of these, Lockdown Mode, is an optional setting that limits how far ChatGPT can reach into the web and external services.
First offered to enterprise plans in February, it began reaching personal and self-serve business accounts in early June.
The risk it addresses is not hypothetical. Researchers have repeatedly shown how a single hidden instruction can pull data from a linked inbox or leak a user’s conversations.
Blocking the Exfiltration Channel
Rather than catching the malicious prompt, Lockdown Mode targets the last step, choking off the outbound network requests an attacker would use to ship stolen data out. The injected text still reaches the model unimpeded, hidden in a web page or file.
Cybersecurity expert and renowned open-source developer Simon Willison, who popularized the term prompt injection, welcomed the change. “This looks really good to me,” he wrote in his blog over the weekend.
Willison has long held that the most practical defense against prompt injection is to sever an attacker’s route for exfiltrating data, which is what the setting does using deterministic controls a manipulated model cannot override.
However, the feature’s existence, he added, also implies default ChatGPT cannot fully block a determined attempt at data exfiltration.
That protection has a price: live connector access and write actions switch off, sidelining features such as the Finances tool and shopping agents, and it cannot run alongside Developer Mode. OpenAI pitched it at users and organizations that handle sensitive data, not the general public.
Read more on ChatGPT data exfiltration: ChatGPT Security Issue Enabled Data Theft via Single Prompt
Reviewing Signed-In Devices
The second control, Active Sessions, brings session management to ChatGPT’s security settings, letting users audit where their account is logged in. Each entry can show:
-
Device or browser details
-
Approximate location and sign-in time
-
Which first-party app was used, such as ChatGPT or Codex
-
Whether it is a trusted device or the current session
Users can end a single session or sign out everywhere at once, though a full sweep can take up to 30 minutes. If something looks unfamiliar, OpenAI advises changing the password, reviewing sign-in methods and contacting support.
One gap will matter to larger organizations: the feature is unavailable on accounts that use single sign-on (SSO), including SAML and OpenID Connect and it does not track third-party app sessions or Codex CLI logins.
