What caused Claude Mythos unauthorized access?

Anthropic investigates unauthorized access to Claude Mythos

Anthropic says it is investigating unauthorized access to Claude Mythos, a restricted cybersecurity model it had limited from public release. Bloomberg reporting described that a small group of users gained access through a mix of contractor-linked access and online “sleuthing.” Anthropic later characterized the situation as unauthorized access and said it was investigating.

What access pathways were described

Two different elements are described in the reporting:

• Access through third parties: Anthropic’s restricted model was reportedly reachable via a pathway involving a contractor’s environment. This implies that credentials or connectivity provided for legitimate work could have been abused.
• Discovery via guessing: In another report, unauthorized users were described as accessing the model by guessing its URL. That suggests a security boundary that relied on obscurity rather than robust authentication controls.

Why it matters

Mythos has been positioned as a model capable of finding cybersecurity vulnerabilities, and Anthropic’s decision to restrict access already signaled concern about misuse risk. Unauthorized access changes that calculus: even a “small group” can be enough to test, probe, or misuse capabilities at scale.

The incident also highlights a broader operational risk for frontier AI security tooling: restrictions are not just about policy and deployment decisions, but also about hardening every way the model can be reached—network access, credentials, and endpoint security.

This investigation matters for the cybersecurity sector because access to vulnerability-finding capabilities can be dual-use. If model access controls are bypassed, defensive research could be complicated by faster attacker experimentation, and organizations that want to use such tools responsibly may face delays or tighter constraints while providers audit and redesign access protections.