This work addresses a critical privacy vulnerability in machine unlearning: the potential leakage of class labels associated with forgotten data. The study systematically uncovers this risk and proposes a novel multi-perspective attack framework that integrates model parameter analysis with model inversion. On the parameter side, it constructs discriminative features using dot products and vector differences, then employs k-means clustering, the Youden index, and decision trees to identify the forgotten class. On the inversion side, it designs a gradient-based white-box attack and a genetic algorithm-driven black-box attack, complemented by thresholding and information entropy criteria to analyze prediction distributions. Experiments across four benchmark datasets demonstrate significant label leakage across five state-of-the-art unlearning methods, revealing a fundamental privacy shortcoming in current approaches.

With the widespread application of artificial intelligence technologies in face recognition and other fields, data privacy security issues have received extensive attention, especially the \textit{right to be forgotten} emphasized by numerous privacy protection laws. Existing technologies have proposed various unlearning methods, but they may inadvertently leak the categories of unlearned data. This paper focuses on the category unlearning scenario, analyzes the potential problems of category leakage of unlearned data in multiple scenarios, and proposes four attack methods from the perspectives of model parameters and model inversion based on attackers with different knowledge backgrounds. At the level of model parameters, we construct discriminative features by computing either dot products or vector differences between the parameters of the target model and those of auxiliary models trained on subsets of retained data and unrelated data, respectively. These features are then processed via k-means clustering, Youden's Index, and decision tree algorithms to achieve accurate identification of the forgotten class. In the model inversion domain, we design a gradient optimization-based white-box attack and a genetic algorithm-based black-box attack to reconstruct class-prototypical samples. The prediction profiles of these synthesized samples are subsequently analyzed using a threshold criterion and an information entropy criterion to infer the forgotten class. We evaluate the proposed attacks on four standard datasets against five state-of-the-art unlearning algorithms, providing a detailed analysis of the strengths and limitations of each method. Experimental results demonstrate that our approach can effectively infer the classes forgotten by the target model.