# I coined the term prompt injection

on may 13, 2022, I asked whether services wrapping GPT-3 were
vulnerable to the equivalent of sql injection. "like, a
prompt-injection attack"

<https://x.com/himbodhisattva/status/1525182881726730240>

simon willison is usually credited with coining the term. on august 4,
2025, he acknowledged I used it first, four months before he did:

<https://simonwillison.net/2025/Aug/4/>

## related threads

riley goodside acknowledged that I proposed the current name in may
2022:

<https://x.com/goodside/status/1952368779788472548>

simon replied later in that thread after quoting the original tweet on
his blog:

<https://x.com/simonw/status/1952409664848908470>

the thread starts here:

<https://x.com/TalBeerySec/status/1952356190182117690>

## context

in may 2022 I was leading NLP at a startup that was an early adopter of
GPT-3. early enough that we had to ask openai to raise our concurrent
connection limit from two to fifty, which surprised them. at a few
thousand dollars a month we were briefly their biggest spender

jasper and copy.ai were obviously wrapping GPT-3 and I wanted to know
what prompts they were using. I'd been a web developer so I thought of
sql injection

we had a working version against one of those products at the time,
which I didn't disclose. in retrospect I should have.

## thoughts

coining it isn't evidence of brilliance. it was obvious. it's just
proof I've been in the trenches with transformers since day 1. well,
day 100, I was still into awd-lstms when the attention paper dropped

the term took off almost immediately and credit went to riley goodside
and simon. it drove me crazy but I didn't want to make a big deal about
it because that seemed gauche and I was trying to maintain
pseudonymity. for three years I'd just reply "pretty sure it was me"
when the timeline came up. eventually one of those threads reached
simon and he posted the correction