Privacy Risks of LLM-Empowered Recommender Systems: An Inversion Attack Perspective

TL;DR

This paper reveals that LLM-powered recommender systems are vulnerable to inversion attacks that can reconstruct user preferences and demographic data, exposing significant privacy risks.

Contribution

It presents the first systematic study of inversion attacks on LLM-based recommenders and proposes a novel refinement method for more accurate prompt reconstruction.

Findings

Achieves 65% item recovery rate

Correctly infers age and gender in 87% of cases

Privacy leakage depends on domain and prompt complexity

Abstract

The large language model (LLM) powered recommendation paradigm has been proposed to address the limitations of traditional recommender systems, which often struggle to handle cold start users or items with new IDs. Despite its effectiveness, this study uncovers that LLM empowered recommender systems are vulnerable to reconstruction attacks that can expose both system and user privacy. To examine this threat, we present the first systematic study on inversion attacks targeting LLM empowered recommender systems, where adversaries attempt to reconstruct original prompts that contain personal preferences, interaction histories, and demographic attributes by exploiting the output logits of recommendation models. We reproduce the vec2text framework and optimize it using our proposed method called Similarity Guided Refinement, enabling more accurate reconstruction of textual prompts from model generated logits. Extensive experiments across two domains (movies and books) and two representative LLM based recommendation models demonstrate that our method achieves high fidelity reconstructions. Specifically, we can recover nearly 65 percent of the user interacted items and correctly infer age and gender in 87 percent of the cases. The experiments also reveal that privacy leakage is largely insensitive to the victim model's performance but highly dependent on domain consistency and prompt complexity. These findings expose critical privacy vulnerabilities in LLM empowered recommender systems.