I coined the term prompt injection

on may 13, 2022, I asked whether services wrapping GPT-3 were vulnerable to the equivalent of sql injection. "like, a prompt-injection attack"

https://x.com/himbodhisattva/status/1525182881726730240

simon willison is usually credited with coining the term. on august 4, 2025, he acknowledged I used it first, four months before he did:

https://simonwillison.net/2025/Aug/4/

related threads

riley goodside acknowledged that I proposed the current name in may 2022:

https://x.com/goodside/status/1952368779788472548

simon replied later in that thread after quoting the original tweet on his blog:

https://x.com/simonw/status/1952409664848908470

the thread starts here:

https://x.com/TalBeerySec/status/1952356190182117690

context

in may 2022 I was leading NLP at a startup that was an early adopter of GPT-3. early enough that we had to ask openai to raise our concurrent connection limit from two to fifty, which surprised them. at a few thousand dollars a month we were briefly their biggest spender

jasper and copy.ai were obviously wrapping GPT-3 and I wanted to know what prompts they were using. I'd been a web developer so I thought of sql injection

we had a working version against one of those products at the time, which I didn't disclose. in retrospect I should have.

thoughts

coining it isn't evidence of brilliance. it was obvious. it's just proof I've been in the trenches with transformers since day 1. well, day 100, I was still into awd-lstms when the attention paper dropped

the term took off almost immediately and credit went to riley goodside and simon. it drove me crazy but I didn't want to make a big deal about it because that seemed gauche and I was trying to maintain pseudonymity. for three years I'd just reply "pretty sure it was me" when the timeline came up. eventually one of those threads reached simon and he posted the correction