This work uncovers a novel privacy risk induced by machine unlearning in the dual-view setting (original model + unlearned model): while protecting the requested-forget samples, it significantly exacerbates membership inference attacks (MIAs) against retained training data. We propose the Dual-View Inference Attack (DVIA), the first attack paradigm that theoretically formalizes this threat from an information-theoretic perspective—defining “privacy knowledge gain” to quantify the amplification of privacy leakage under joint querying. DVIA requires no auxiliary attack model training and operates in a black-box, lightweight, and cross-architecture manner. Extensive experiments across multiple datasets and model architectures demonstrate that DVIA boosts MIA accuracy by up to 32.7%, revealing that machine unlearning may inadvertently weaken—rather than strengthen—the overall privacy protection of training data.

Machine unlearning is a newly popularized technique for removing specific training data from a trained model, enabling it to comply with data deletion requests. While it protects the rights of users requesting unlearning, it also introduces new privacy risks. Prior works have primarily focused on the privacy of data that has been unlearned, while the risks to retained data remain largely unexplored. To address this gap, we focus on the privacy risks of retained data and, for the first time, reveal the vulnerabilities introduced by machine unlearning under the dual-view setting, where an adversary can query both the original and the unlearned models. From an information-theoretic perspective, we introduce the concept of {privacy knowledge gain} and demonstrate that the dual-view setting allows adversaries to obtain more information than querying either model alone, thereby amplifying privacy leakage. To effectively demonstrate this threat, we propose DVIA, a Dual-View Inference Attack, which extracts membership information on retained data using black-box queries to both models. DVIA eliminates the need to train an attack model and employs a lightweight likelihood ratio inference module for efficient inference. Experiments across different datasets and model architectures validate the effectiveness of DVIA and highlight the privacy risks inherent in the dual-view setting.