LLM-based recommender systems face severe privacy risks from reverse-engineering attacks, potentially exposing sensitive user information—including preferences, interaction histories, and demographic attributes. This work presents the first systematic study of their privacy vulnerabilities and proposes a novel output-logits-based prompt reconstruction attack: building upon the vec2text framework, it introduces a joint optimization strategy guided by semantic similarity and lexical matching to enhance reconstruction fidelity. Experiments on movie and book recommendation domains achieve a 65% item recovery rate for user interactions and 87% accuracy in inferring age and gender. Crucially, privacy leakage is found to be uncorrelated with recommendation performance but strongly influenced by domain consistency and prompt complexity. This study uncovers pervasive latent privacy threats in LLM recommenders and provides both theoretical insights and empirical evidence to inform future defense mechanisms.

The large language model (LLM) powered recommendation paradigm has been proposed to address the limitations of traditional recommender systems, which often struggle to handle cold start users or items with new IDs. Despite its effectiveness, this study uncovers that LLM empowered recommender systems are vulnerable to reconstruction attacks that can expose both system and user privacy. To examine this threat, we present the first systematic study on inversion attacks targeting LLM empowered recommender systems, where adversaries attempt to reconstruct original prompts that contain personal preferences, interaction histories, and demographic attributes by exploiting the output logits of recommendation models. We reproduce the vec2text framework and optimize it using our proposed method called Similarity Guided Refinement, enabling more accurate reconstruction of textual prompts from model generated logits. Extensive experiments across two domains (movies and books) and two representative LLM based recommendation models demonstrate that our method achieves high fidelity reconstructions. Specifically, we can recover nearly 65 percent of the user interacted items and correctly infer age and gender in 87 percent of the cases. The experiments also reveal that privacy leakage is largely insensitive to the victim model's performance but highly dependent on domain consistency and prompt complexity. These findings expose critical privacy vulnerabilities in LLM empowered recommender systems.