Model extraction attacks reconstruct a proprietary model's behavior — sometimes close to its actual weights — purely by querying its API a large number of times and training a copycat model on the input/output pairs. No breach is needed; the API itself, used exactly as intended but at scale, is the vulnerability. This is a real business risk for anyone selling access to a fine-tuned or specialized model, and it's part of why API terms of service for major model providers explicitly prohibit using outputs to train competing models — a policy line that exists specifically because the technical attack is otherwise straightforward to execute.
Mitigations focus on making extraction expensive or detectable rather than impossible: rate limiting, watermarking outputs, monitoring for query patterns that look like systematic probing (near-exhaustive coverage of an input space, oddly generic prompts sent at high volume), and legal/contractual deterrents alongside the technical ones.