Large Language Models (LLMs) pose significant privacy risks, potentially leaking training data due to implicit memorization. Existing attacks primarily focus on membership inference (MIAs) or extraction attacks, but reconstructing specific personally identifiable information (PII) in LLM's remains challenging. In this paper, we propose R.R. (Recollect and Rank), a novel two-step stealing attack that enables attackers reconstruct PII entities from scrubbed where the have been masked. first stage, introduce prompt paradigm named recollection, which instructs LLM repeat masked text fill masks. Then can use identifiers extract recollected candidates. second design new criterion score each candidate rank them. Motivated by inference, leverage reference model as calibration our criterion. Experiments across three popular datasets demonstrate achieves better identical performance compared baselines. These results highlight vulnerability of LLMs leakage even when has scrubbed. We release replicate package at link.

Load

Load