Security researchers have found a way to trick Google’s AI assistant, Gemini, into leaking private Calendar data using only normal-looking language.
By sending a victim a specially crafted Google Calendar invite, attackers can hide instructions inside the event description. When the victim later asks Gemini something simple like “What’s on my schedule?”, the AI reads the malicious event and unknowingly follows the hidden instructions.

Gemini is deeply integrated into Google services like Gmail and Calendar, helping users summarize emails, answer questions, and manage events. In this attack, discovered by researchers at Miggo Security, the attacker sends a fake event invite with a description written like a harmless message—but actually acting as a prompt. The instructions tell Gemini to summarize private meetings, create a new event with that summary, and reply normally so the user doesn’t notice anything strange.
When the victim asks Gemini about their schedule, Gemini loads all events, including the malicious one. It then follows the hidden instructions and creates a new event containing summaries of private meetings. In many workplace setups, event details are visible to all participants—so the attacker can see the leaked private data without the victim realizing anything went wrong.

Google already uses special systems to detect malicious prompts, but Miggo says this attack bypassed them because the instructions looked safe. Similar attacks were shown in 2025, but this new method shows that Gemini is still vulnerable to clever manipulation.
Google has now added new protections, but researchers warn that as AI systems rely more on natural language, security must move beyond simple keyword filtering to deeper, context-aware defenses.





