Thousands of internal files tied to Anthropic’s website were briefly left exposed due to a configuration mistake in the company’s content management system. The files, ranging from draft blog posts to images and documents, could be accessed by anyone who knew how to request them.
Cybersecurity researcher Alexandre Pauwels of the University of Cambridge reviewed the data and estimated that nearly 3,000 unpublished assets linked to the company’s blog were accessible in the cache. Many of them had never appeared on the company’s public news or research pages.
The issue wasn’t a hack in the traditional sense. The system storing Anthropic’s website content could respond to external requests and return files if someone queried it correctly. Because certain assets were set to “public” by default, draft materials sitting in the system’s storage layer remained visible even though they were never meant to be published.
Once alerted, Anthropic quickly restricted access. A spokesperson told Fortune Magazine that the exposure resulted from “human error in the CMS configuration” and said the issue had no connection to the company’s AI models or internal infrastructure.
“An issue with one of our external CMS tools led to draft content being accessible,” the spokesperson said.
Most of the files appear relatively harmless—unused graphics, banners, and draft pages. But some documents pointed to things the company hadn’t yet announced. Among them were references to an unreleased AI model that internal materials described as the most capable system Anthropic has trained so far.
The company later confirmed it is testing a new model with select customers, saying the system represents a “step change” in performance across areas like reasoning, coding, and cybersecurity.
Other files included details about a private executive retreat in the U.K. that Anthropic CEO Dario Amodei is expected to attend with leaders from major European companies.
Situations like this happen more often than tech companies like to admit. Even firms known for tight security have stumbled over similar mistakes. Apple accidentally revealed upcoming iPhone names through its own website in 2018. Gaming giants such as Epic Games and Nintendo have also exposed unreleased assets through misconfigured servers.
Anthropic says none of the files involved customer data, AI models, or internal security architecture. “These materials were early drafts of content considered for publication and did not involve our core infrastructure, AI systems, customer data, or security architecture,” the spokeperson said.
Louis Eriakha
