Measuring Real-World Prompt Injection Attacks in LLM-based Resume Screening
For practitioners deploying LLM-based applications, this work provides the first large-scale evidence that prompt injection is a real and growing threat, not just a theoretical concern.
This paper presents the first systematic study of prompt injection attacks in LLM-based resume screening, analyzing ~200K real-world resumes. They found ~1% contain hidden injections, with prevalence increasing over the past 1-2 years, and >90% of injected prompts lack explicit instructions.
LLMs are vulnerable to prompt injection attacks. However, this vulnerability has been primarily demonstrated conceptually in academic studies or through a few anecdotal case studies. Its prevalence and impact in real-world LLM-based applications are largely unexplored. In this work, we present the first systematic study of prompt-injection attacks in a widely used application: LLM-based resume screening. Our analysis is based on approximately 200K real-world resumes collected over multiple years by hireEZ. We first design tailored methods to detect prompt injection in resumes. Manual validation on a small-scale dataset demonstrates that our detectors achieve high precision and outperform state-of-the-art general-purpose detectors. We then apply our detector to the full resume dataset and conduct a comprehensive measurement study of real-world prompt injection attacks. Our analysis reveals several intriguing findings: approximately 1% of resumes contain hidden prompt injections; the prevalence of such injected resumes has increased noticeably over the past one to two years; and more than 90% of injected prompts do not use explicit instructions. These results provide the first evidence of large-scale prompt injection in real-world LLM-based applications and lay the groundwork for future studies to understand and mitigate such attacks.