Statsig Endpoint Exposes Claude User Data
A user recently discovered that Claude's statsig bootstrap endpoint returns a 15,400-plus-line JSON containing user IDs, emails, IP addresses, hashed experiment lists, internal model codenames, client lists and crisis phone numbers. The researcher reported the exposure to Anthropic, which acknowledged it but did not classify it as a vulnerability. The data raises GDPR and telemetry minimization concerns and calls for immediate access-control audits.
Key Points
- 1Found: statsig bootstrap endpoint returned 15,400+ line JSON with user IDs, emails, IPs.
- 2Contains internal experiment lists, model codenames, client lists and crisis numbers indicating sensitive internal exposure.
- 3Requires immediate telemetry and access-control audits, PII removal from analytics endpoints, and GDPR compliance checks.
Scoring Rationale
High relevance and actionable security findings, limited by single-source reporting and lack of official confirmation.
Sources
Public references used for this report.
Practice with real Logistics & Shipping data
90 SQL & Python problems · 15 industry datasets
250 free problems · No credit card
See all Logistics & Shipping problems

