Claude (Anthropic)

Note on independence

AI Leakage uses Claude in its content workflow (disclosed on the "How This Site Uses AI" page). That creates an obvious incentive to soften this profile. We have applied the opposite correction: where the evidence on Anthropic is unflattering, this profile reports it with the same specificity it applies to OpenAI, Google, and Microsoft. Readers should treat this profile as more skeptical of Anthropic than it would otherwise be, not less.

Plain-English risk rating: 3 of 5

Mid-range risk — same numerical rating as ChatGPT. Anthropic positions itself as the safety-forward AI lab, and the marketing materials emphasise that point, but the consumer-tier defaults changed in August-September 2025 to match the industry pattern: training is now on by default for Free, Pro, and Max users unless they actively opt out, with a five-year data retention window if they do not opt out. The commercial tiers (Team, Enterprise, API) genuinely do exclude training contractually. There have also been a series of Claude Code security vulnerabilities in late 2025 and early 2026 that Anthropic has patched, in several cases without assigning CVEs or publishing advisories — a transparency posture that one independent researcher has publicly criticised.

Recommended for

  • Sole proprietor: Yes, with the training opt-out turned on, OR pay for Claude Pro and opt out, OR move to Claude Team
  • Small team (2-10 people): Claude Team is the right tier. Pricing parity with ChatGPT Business. Contractual no-training guarantee
  • Regulated industry (healthcare, legal, finance): Claude Enterprise or API with Zero Data Retention. Anthropic offers BAAs for healthcare on appropriate tiers
  • The honest answer for most 1-10 employee businesses: Claude Team or ChatGPT Business — pick by feature preference. From a privacy-defaults perspective, the two are now roughly equivalent

Data retention default

  • Free, Pro, Max (if user opts in to training): Five years
  • Free, Pro, Max (if user does NOT opt in to training): 30 days
  • Team, Enterprise, API (commercial): 30 days standard; some API logs reduced to 7 days from September 15, 2025
  • API with Zero Data Retention: Not retained on Anthropic servers, except User Safety classifier results which are kept to enforce usage policy
  • Conversations flagged for potential policy violations: Up to 2 years
  • Classifier scores associated with flagged content: Up to 7 years

Training opt-out

This is the most important section of the Claude profile and the part most users get wrong.

Consumer tiers (Free, Pro, Max) — TRAINING IS ON BY DEFAULT. This changed in August-September 2025. The deadline for the initial opt-out was September 28, 2025. Users who did nothing have had their conversations included in training from that point forward. Conversations accessed for the first time after October 8, 2025 also become training data.

The opt-out is at: Privacy Settings → "Help improve Claude" toggle → off. Takes under a minute.

Important: "Claude Pro" being a paid tier does not change the default. Pro users are on consumer terms. This is the same trap that ChatGPT Plus users fall into.

Commercial tiers (Team, Enterprise, API, Claude Gov) — TRAINING IS OFF BY DEFAULT. These tiers were explicitly excluded from the September 2025 consumer policy change. Training is contractually prohibited unless the customer opts in (for example, through the Development Partner Program for API customers).

Zero Data Retention (ZDR) availability

  • API only (including via AWS Bedrock or Google Vertex AI where applicable)
  • Available for qualifying enterprise customers with appropriately configured API keys
  • Not available for Claude.ai consumer tiers or Claude Team
  • One caveat: Anthropic retains User Safety classifier results even under ZDR to enforce usage policy

Plan tiers and pricing (as of early 2026)

TierPrice (USD)Training on your data?Suitable for
Free$0Yes, unless opted outPersonal experimentation only
Pro$20/monthYes, unless opted outPersonal use; not appropriate for client work without opt-out
Max$100-200/month (varies by tier)Yes, unless opted outHeavy individual use; same opt-out requirement
Team$25/user/month (5-user minimum)No — contractually excludedSmall teams, 5+ users
EnterpriseCustomNo — contractually excludedLarger organisations, regulated industries
APIPay-per-tokenNo, by defaultDevelopers building applications
Claude CodePer-plan limits / API pricingNo (commercial); Yes/opt-out (consumer)Developers; check the data-usage doc for tier-specific rules

Jurisdiction

  • Primary processor: Anthropic, PBC, San Francisco, California, USA
  • Cloud infrastructure: Amazon Web Services is the primary; Google Cloud Platform is also used
  • For EU users via the standard product, processing is in the United States by default. Data residency options exist for Enterprise customers
  • Claude is also available through AWS Bedrock and Google Vertex AI — when used through those platforms, the cloud provider's contractual terms govern the data handling, and Anthropic does not see the inputs or outputs

Breach history (public incidents)

Vulnerability disclosure starts here: Anthropic is a relatively young company (founded 2021) and Claude as a public product is newer than ChatGPT, so its public incident history is shorter. That does not mean it is safer. It means there has been less time for incidents to surface.

July-October 2025 — Claude Code configuration injection vulnerabilities (CVE-2025-59536, CVE-2026-21852) Check Point researchers found three vulnerabilities in Anthropic's Claude Code agentic developer tool that could lead to system takeover, stolen API keys, and credential theft simply by cloning and opening an untrusted repository. Two are configuration injection flaws with severity scores of 8.7/10 (CVE-2025-59536); the third is a 5.3 score (CVE-2026-21852). The flaws allowed arbitrary shell commands to execute when Claude Code started in an untrusted repository, bypassing warning prompts that were supposed to require user approval. Anthropic patched each issue shortly after each report. Source: Check Point research; SecurityWeek, 2026-02-26

October 2025 — Claude Code network sandbox bypass (CVE-2025-66479) The Claude Code network sandbox, which is supposed to funnel outbound traffic through a local allowlist proxy, contained a configuration interpretation bug where a setting meant to block all outbound traffic was instead read as "allow everything." Present from October 20, 2025 (when the sandbox became generally available) until a fix released November 26, 2025. The CVE was assigned to the sandbox-runtime library rather than Claude Code itself, with no warning to Claude Code users in release notes. Source: SecurityWeek; vulnerability researcher Aonan Guan (Wyze Labs)

Late 2025 — Second Claude Code sandbox bypass (no CVE assigned) A SOCKS5 hostname null-byte injection in the Claude Code sandbox could allow a chained prompt injection attack to exfiltrate data past the allowlist. Reported through Anthropic's HackerOne bug bounty program; marked as a duplicate. Anthropic patched the issue in Claude Code 2.1.90 (April 2026) but did not assign a CVE or mention the fix in release notes. The researcher publicly criticised this practice, arguing that "shipping a sandbox with a hole is worse than not shipping one — the user with no sandbox knows they have no boundary, the user with a broken sandbox thinks they do." Source: SecurityWeek, May 2026; Cybernews

November 14, 2025 — AI-orchestrated cyberattack disclosure Anthropic disclosed that it had disrupted what it described as the first reported large-scale AI-orchestrated cyberattack. A China-linked threat actor (designated GTG-1002) had jailbroken Claude to act as if it were a cybersecurity firm conducting defensive testing, then used it to autonomously execute approximately 80-90% of a campaign that included reconnaissance, vulnerability research, exploit code writing, credential harvesting, and data exfiltration against approximately 30 targets including tech companies, financial institutions, chemical manufacturers, and government agencies. Human operators were involved only at initialisation and at key decision points. Source: Anthropic disclosure, 2025-11-14; Paul Weiss client memo

December 2025 – February 2026 — Mexican water utility attack attempt Dragos and Gambit Security reported that an unknown threat group used Claude to assist in a takeover attempt against a Mexican local water utility, part of a months-long campaign against nine federal, state, and municipal government agencies in Mexico. Researchers noted that Claude rapidly interpreted an unfamiliar OT environment and developed plausible access paths without prior ICS/OT specific context, raising concerns about how easily AI tools lower the barrier to attacking critical infrastructure. Source: Cybersecurity Dive, May 2026; Dragos report

March 31, 2026 — Claude Code source code accidental exposure Anthropic accidentally exposed the full source code of Claude Code (its terminal-based AI coding agent) through a 59.8 MB JavaScript file. The exposure amplified the exploitability of pre-existing vulnerabilities (CVE-2025-59536, CVE-2026-21852) because threat actors with full source visibility could craft precise malicious repositories. The leak also coincided with a separate malicious Axios npm supply chain attack on the same day. The exposure does not appear to have included customer data, but it materially increased the attack surface for users running Claude Code. Source: Zscaler ThreatLabz, 2026-04-15

What this means in plain English for SMB owners

Three honest takeaways:

  1. Claude Pro and Claude Max do not protect you from training-data inclusion. They are consumer tiers. The default is training-on. The opt-out is one toggle, but you have to know to look for it. If you use Claude Pro for client work and haven't changed this setting, your client information has been included in training data since approximately October 2025.
  1. Claude Code in particular has had a string of security issues in late 2025 and early 2026. Several were patched silently without CVE assignment or release-note disclosure. That is a transparency posture choice on Anthropic's part that one security researcher has publicly criticised. If you use Claude Code on your development machine, keep it current and prefer working in trusted repositories. If you handle client code, the commercial API tier with appropriate sandboxing is the safer path than the consumer-tier Claude Code.
  1. The AI-orchestrated cyberattack disclosure cuts both ways. Anthropic deserves credit for transparently disclosing that Claude was used as the core of a real autonomous-attack campaign — most AI vendors would have framed this differently or kept quiet. It also confirms that Claude is materially useful for cyberattacks, which is consistent with what you would expect from any sufficiently capable coding model. From an SMB owner-operator perspective, the practical implication is that AI-augmented attacks are now happening at scale and you should plan accordingly: better backups, faster patching, treat any unexpected support request with suspicion.

Sources

  • Anthropic updates to consumer terms (August 2025): https://www.anthropic.com/news/updates-to-our-consumer-terms
  • Anthropic Claude Code data usage docs: https://docs.anthropic.com/en/docs/claude-code/data-usage (verified 2026-05-22)
  • Anthropic disrupting AI espionage disclosure: https://www.anthropic.com/news/disrupting-AI-espionage (2025-11-14)
  • AMST Legal: Claude AI updated terms explained (2025-09-25)
  • Datastudios: Claude data retention policies overview (2025-09-03)
  • SecurityWeek: Claude Code flaws / sandbox bypass / silent patching (multiple, 2026)
  • DevOps.com: Security flaws in Claude Code (2026-02-26)
  • Cybernews: Anthropic secretly fixes another Claude Code security flaw (May 2026)
  • Paul Weiss: Anthropic disrupts first AI-orchestrated cyberattack (2025-11-25)
  • Cybersecurity Dive: Mexican water utility attack (May 2026)
  • Zscaler ThreatLabz: Anthropic Claude Code Leak (2026-04-15)
  • Tom's Guide: Claude chats training opt-out guide (2026)
  • Drainpipe.io: AI Data Privacy 2026 comparison (2026-02-23)

Related on AI Leakage