Recommendation systems face severe privacy risks from membership inference attacks (MIAs), yet their lack of posterior probabilities and other characteristics renders conventional MIA methods largely inapplicable, and no systematic survey exists. This paper presents the first comprehensive survey on MIAs in recommendation systems, proposing the inaugural unified taxonomy encompassing attack mechanisms, defense strategies, and evaluation paradigms. It clarifies fundamental design principles and core challenges—including implicit feedback modeling and sequence sensitivity—while systematically synthesizing representative works from 2019–2023 and identifying critical research gaps. The study establishes a theoretical foundation for this emerging field, has become a community benchmark reference, and has catalyzed the development of multiple novel defense mechanisms.

Recommender systems (RecSys) have been widely applied to various applications, including E-commerce, finance, healthcare, social media and have become increasingly influential in shaping user behavior and decision-making, highlighting their growing impact in various domains. However, recent studies have shown that RecSys are vulnerable to membership inference attacks (MIAs), which aim to infer whether user interaction record was used to train a target model or not. MIAs on RecSys models can directly lead to a privacy breach. For example, via identifying the fact that a purchase record that has been used to train a RecSys associated with a specific user, an attacker can infer that user's special quirks. In recent years, MIAs have been shown to be effective on other ML tasks, e.g., classification models and natural language processing. However, traditional MIAs are ill-suited for RecSys due to the unseen posterior probability. Although MIAs on RecSys form a newly emerging and rapidly growing research area, there has been no systematic survey on this topic yet. In this article, we conduct the first comprehensive survey on RecSys MIAs. This survey offers a comprehensive review of the latest advancements in RecSys MIAs, exploring the design principles, challenges, attack and defense associated with this emerging field. We provide a unified taxonomy that categorizes different RecSys MIAs based on their characterizations and discuss their pros and cons. Based on the limitations and gaps identified in this survey, we point out several promising future research directions to inspire the researchers who wish to follow this area. This survey not only serves as a reference for the research community but also provides a clear description for researchers outside this research domain.