What happened
Bloomberg reported on April 21, 2026 that a small group of unauthorized users gained access to Anthropic's Claude Mythos Preview model—described by the company as too dangerous for public release—through an educated guess of the model's online location using information leaked from the Mercor breach and insider access from a third-party contract evaluator. The group has maintained continuous access since the model's April announcement.
Why it matters
This breach exposes a fundamental security gap in how Anthropic protects its most sensitive models, particularly concerning given Mythos' advertised capability to find vulnerabilities 'in every major operating system and web browser.' The incident undermines Anthropic's AI safety positioning and raises critical questions about vendor security practices, third-party contractor vetting, and monitoring of limited-preview models. Security researcher Lukasz Olejnik characterized the failure as 'entirely imaginable' and routine in traditional cybersecurity.
Action needed
Organizations evaluating Anthropic for sensitive deployments should request clarification on contractor access controls, model usage logging, and anomaly detection capabilities. AI security teams should assess whether their own limited-preview or internal models have sufficient monitoring to detect unauthorized access patterns, particularly from insider-adjacent actors.