Do not be surprised if LessWrong gets hacked

The LessWrong team has issued a stark warning to its user base, stating the popular AI and rationality discussion forum should not be considered secure and could be hacked. The warning comes directly from a LessWrong admin, RobertM, who published the announcement titled 'Do not be surprised if LessWrong gets hacked.' The post serves as both a PSA about the site's current security posture and an attempt to establish common knowledge about the escalating cybersecurity landscape, which the admin believes is about to change dramatically.

The catalyst for this urgent warning is Anthropic's recent announcement of Claude Mythos. Accompanying that launch was a blog post from Anthropic's Frontier Red Team detailing a large number of zero-day and other security vulnerabilities discovered by the AI model. RobertM argues this development was overdetermined, citing previous signals like LLMs being trained on code and AI labs prioritizing cybersecurity in their threat models. In light of this new AI-powered threat capability, the admin clarifies that LessWrong is run by a small team with an 'early-stage startup' philosophy, making trade-offs that favor development speed over robust security.

Users are explicitly told not to store highly sensitive information—such as LLM API keys, crypto wallet keys, or account credentials—in LessWrong drafts or direct messages. While the forum is not considered a high-value target for financially motivated cybercriminals, it could be caught in the 'blast radius' of scaled, automated attacks. The most likely breach scenario involves automated tools scanning the database for monetizable data. The team advises users to immediately cycle any sensitive credentials they may have stored on the platform, though they express cautious optimism that any stolen data might not become widely circulated.