Pokémon GO, ServiceNow Auth Flaw, and the Anthropic Model Pulldown

The Value is the Risk

Three stories, one mechanism: the thing that made each system worth having is the exact thing that made it dangerous the moment it left your hands. Niantic's scans, ServiceNow's operational depth, Anthropic's raw capability — same property, weaponized as soon as it changed owner or context. Here's what stood out from the operator chair.

The model is the data, and the model already shipped. Niantic built 30 billion AR scans from Pokémon GO players earning in-game rewards, trained a Visual Positioning System on them, then spun that into a defense partnership helping autonomous drones navigate GPS-denied environments. Niantic Spatial's response, "we didn't share the data with them," is technically true and practically irrelevant. A model is just data. If it was trained on the scans, the scans traveled. The question was never whether data gets collected. It's whether you've made your own peace with where it ends up because the downstream uses will outrun whatever you thought you agreed to.

Read-only access to a system of record isn't low-stakes; it's a map of how the company runs. ServiceNow disclosed an authentication flaw that let unauthenticated POST requests query customer instance tables: IT support tickets, employee records, workflow data, all before a patch landed on June 5. The bug is the occasion; the lesson is what "read-only" actually buys here. From the operator chair, that's immediately a social engineering goldmine. A platform like this earns its keep by knowing everything about how your organization operates, and that same depth is exactly what makes read access against it so valuable. The takeaway isn't about one vendor's posture. It's that the more operational context you centralize in any SaaS system of record, the bigger the payoff when something gives, even when all an attacker gets is the ability to look. .

If you hype the danger and the government believes you, don't be surprised when it acts. The U.S. government issued an export control directive forcing Anthropic to pull Fable 5 and Mythos 5 offline for all users worldwide, citing a jailbreak that let someone ask the model to read a codebase and flag vulnerabilities. Anthropic called it narrow and non-universal. The team's read: GPT-5.5 does the same thing. Every model does. We've been feeding code to AI for a while. Why is it suddenly scary? Part of the answer is that Anthropic spent years telling everyone this technology was uniquely powerful and uniquely dangerous, and eventually the government agreed. The more unsettling question is what comes next because there's no regulatory body with the standing to adjudicate any of this. The government can flip the switch, and nobody's built the process to turn it back on.

The takeaway. The property that makes each system valuable is the exact property that makes it dangerous once it changes hands, and each one is a one-way door. Once it's through, nobody's built the way back.

Security Headlines:

• Pokémon GO players unwittingly contributed to tech with military drone uses, Ars Technica
• ServiceNow Flaw Exploited to Gain Unauthorized Access to Customer Instances, The Hacker News
• Statement on the US government directive to suspend access to Fable 5 and Mythos 5, Anthropic