This work reveals that machine unlearning can inadvertently heighten privacy risks for retained data, rendering it more susceptible to membership inference attacks. To systematically assess this effect, the authors propose TC-UMIA—the first group-level membership inference attack framework tailored to three distinct sample categories: forgotten, retained, and unseen data—by analyzing discrepancies in model outputs before and after unlearning. This study extends membership inference attacks to retained data for the first time, uncovering a novel privacy leakage pathway introduced by machine unlearning and establishing a generalizable three-class attack paradigm. Extensive experiments across five state-of-the-art unlearning algorithms and six real-world datasets demonstrate that unlearning significantly increases the inferability of retained samples, with Dropout achieving the best trade-off between privacy preservation and model utility.

Machine unlearning (MU) has emerged as a key mechanism for ensuring data privacy and regulatory compliance by enabling models to forget specific training samples. However, recent studies have shown that the removal of data can inadvertently introduce privacy leakages to the retain set,i.e., data that remain in the model after unlearning. In this paper, we extend the scope of privacy analysis in unlearning to the often-overlooked retained data. We introduce TC-UMIA, the first tri-class unlearning membership inference attack. TC-UMIA is a population-level inference framework that leverages model predictions before and after unlearning to distinguish among the forget, retain, and unseen set. Extensive experiments on five state-of-the-art unlearning algorithms and six real-world datasets demonstrate that: (i) unlearning can introduce additional privacy risks to the retain set, making it more susceptible to membership inference attacks; (ii) TC-UMIA is effective across a wide range of model architectures, datasets, and MU approaches. Beyond launching the attack, we rigorously evaluate three defense mechanisms, namely label-only outputs, dropout, and differential privacy, to mitigate the privacy risks posed by TC- UMIA. Our results reveal a fundamental trade-off between privacy protection and model accuracy, with the dropout approach offering the most favorable balance.