Large language models (LLMs) based recommender systems (RecSys) can adapt flexibly across different domains. It uses in-context learning (ICL), i.e., prompts, including sensitive historical user-specific item interactions, to customize the recommendation functions. However, no study has examined whether such private information may be exposed by novel privacy attacks. We design two membership inference attacks (MIAs): ItemMem, and RecInertia, aiming to identify whether system prompts contain the victim's information. We have carefully evaluated them on the latest open-source LLMs and three well-known RecSys datasets. The results confirm that the MIA threat to LLM RecSys is realistic and can be more sophisticated than prompt extraction. They utilize the unique prompt structures in ICL RecSys and cannot be easily mitigated with existing defense methods on prompt extraction.
Membership Inference Attacks on In-Context Examples in LLM-based Recommender Systems
Large language models (LLMs) based recommender systems (RecSys) can adapt flexibly across different domains. It uses in-context learning (ICL), i.e., prompts, including sensitive historical user-specific item interactions, to customize the recommendation functions.
- Preview

- Year
- 2025
- Hosting
- Abstract onlyARXIV-DEFAULT
Cite
Notes
Only stored in your browser.
Attribution
- Abstract & full text
- arxiv.org/abs/2508.18665ARXIV-DEFAULT
- TL;DR
- Semantic Scholar