When searched (using the word Sarah from one of the prompts) statsig?statsig... came up. Pasted the url https://claude.ai/api/bootstrap/user-id/statsig and found a thrilling 15,400+ line json complete with user id, email, IP, location, full hashed experiment list which can be used to intuit a fair amount of data if you're bored enough, internal code names for Claude models and features, country service levels, client list, an ever handy complete list of crisis numbers, blah blah...
Handily one experiment appears to be a highly cryptic thrree category (effectively 2) list of websites and it has a lot of mundane stuff but dear god it has an exhaustive* but confusinngly incomplete list pron, sugar daddy, affair, piracy, streaming, torrent etc sites that appears to have been lovingly curated by someone. For the life of me I cannot fathom its purpose due to the obvious exclusions and inclusions not making much sense as a blacklist.
I raised it with anthropic and they did the equivalent of a shrug saying come back if you find a vulnerability.... fair enough, access control does seem to work... It doesn't entirely seem in the spirit of GDPR data minimization at the very least...
Reproduce: Start claude.ai web chat or open existing. Hit f12 or work out how the hell to spidermash it on your stupid 60% keyboard that's mostly stubs now Sources/search "Sarah" Click wildly on statsig until you realise it's already opened a console tab. Copy Url and paste into browser. Prettify before your eyes melt.