Mercor Data Breach

-


The Mercor breach was a major supply‑chain–driven cyberattack that exposed sensitive data from one of the AI industry’s most important training‑data vendors. It originated from a poisoned update to the open‑source LiteLLM library and quickly escalated into a multi‑terabyte compromise claimed by the Lapsus$ extortion group. 

What Triggered the Breach

  • The root cause was a supply‑chain compromise of LiteLLM, a Python library downloaded millions of times per day and used to connect applications to AI services.
  • A threat group known as TeamPCP hijacked LiteLLM’s CI/CD pipeline and pushed malicious versions 1.82.7 and 1.82.8 to PyPI for ~40 minutes. These versions contained credential‑harvesting malware.
  • Mercor confirmed it was “one of thousands of companies” affected by the poisoned package.

How Attackers Reached Mercor

  • The malicious LiteLLM update harvested credentials from systems that imported the library.
  • Those credentials were then used to pivot deeper into Mercor’s environment, accessing internal systems, source code, and data repositories.
  • Lapsus$ later claimed responsibility, stating they obtained 4TB of Mercor data, including:
  • 939GB of source code
  • ~200GB+ of database records (resumes, PII, candidate data)
  • ~3TB of video interviews and verification data
  • Full access to Mercor’s TailScale VPN

What Data Was Exposed

While Mercor has not confirmed the full scope, samples posted by attackers and reporting indicate exposure of:

  • Slack data and internal ticketing information
  • Recorded interviews between contractors and Mercor’s AI systems
  • Candidate profiles, PII, employer data
  • Source code and API keys
  • Potential access to proprietary training datasets used by major AI labs

Impact on Major AI Companies

Mercor is deeply embedded in the AI supply chain, providing training and evaluation labor for:

  • Meta
  • OpenAI
  • Anthropic

Reactions so far:

  • Meta paused all work with Mercor indefinitely pending investigation.
  • OpenAI is investigating but has not paused its projects.
  • Anthropic has not commented publicly.

Because Mercor handles sensitive training data and evaluation workflows, the breach raised concerns that model‑training secrets or contractor‑generated datasets may have been exposed.

Legal Fallout

At least five contractor lawsuits were filed within a week, alleging:

  • Negligence
  • Exposure of Social Security numbers, addresses, and interview recordings
  • Violations of data‑privacy and consumer‑protection laws
  • Liability extending to LiteLLM’s creators and a compliance‑audit firm (Delve)

A class‑action suit also alleges 40,000+ individuals may be at risk of identity theft.

Why This Breach Matters

This incident is a textbook example of AI‑supply‑chain fragility:

  1. Single dependency → industry‑wide exposure
    LiteLLM’s popularity meant a 40‑minute compromise cascaded across thousands of companies.
  2. AI training pipelines are high‑value targets
    Training data, evaluation workflows, and source code are extremely sensitive and often proprietary.
  3. Contractor ecosystems are vulnerable
    Mercor’s model relies on gig‑based experts whose PII and recorded sessions became part of the breach.
  4. Source‑code leaks amplify long‑term risk
    Attackers can study leaked code to identify vulnerabilities for future exploitation.

Current Status

• Mercor states it has contained and remediated the incident and is working with third‑party forensics teams.

• The authenticity of the full 4TB dataset is still unverified, but multiple outlets have confirmed the legitimacy of at least some leaked samples.

• Major AI labs are reevaluating their reliance on Mercor and similar vendors.




Popular posts from this blog

Entire List Leaked for Canvas Ransomware Attack

-
Image
  ( NOTE FROM REDDITOR: All attempts at requesting edit access will be denied. If something is needed, you may email me at: storeluxorsales@gmail.com ) I am not affiliated with this group in any way - so also, please do stop asking (looking at you random press sites). - If anyone wants to save this document, feel free to make a copy. I will be deleting this copy on 10/1/2026. File from link begins below this line. _____________________ This file has been downloaded from the ShinyHunters Data Leak Site (DLS). Our DLS is accessible at these locations:     - http://shnyhntww34phqoa6dcgnvps2yu7dlwzmy5lkvejwjdo6z7bmgshzayd.onion/     - http://shinypogk4jjniry5qi7247tznop6mxdrdte2k6pdu5cyo43vdzmrwid.onion/ > These files were leaked on the ShinyHunters DLS because the victim did not pay a ransom or cooperate and comply with the ShinyHunters group. src;refs;lnks; http://web.archive.org/web/20260322033123/https://shinyhunte.rs/ http://web.archive...
Read more

WSUS CVE-2025-59287 Mitigation

-
Image
CVE-2025-59287 is a critical Remote Code Execution (RCE) vulnerability affecting Windows Server Update Services (WSUS) . Here's a detailed breakdown of what it is, how it works, and what you should do about it: Overview Disclosed: October 2025 Patch Tuesday CVSS Score: 9.8 (Critical) Affected Systems: Windows Server 2012 through 2025 (including Server Core installations) Exploitability: Microsoft rates it as “Exploitation More Likely” Technical Details The vulnerability arises from unsafe deserialization of untrusted data in WSUS. Specifically, the GetCookie() endpoint in WSUS processes encrypted AuthorizationCookie objects without proper type validation. The deserialization occurs via .NET BinaryFormatter , which is known to be insecure when handling untrusted input. Attackers can send a crafted SOAP request to WSUS over port 8530 , containing a malicious AuthorizationCookie . The cookie is decrypted using a hardcoded AES key and then deserialized, allow...
Read more

Cloud Infrastructures are Having a Bad Week

-
Image
  Today’s disruptions across Microsoft Azure and Amazon Web Services (AWS) were significant, but they’re not signs of cloud computing’s demise. Instead, they underscore the risks of centralization and the importance of designing systems that can withstand provider-level failures. What happened today? • Microsoft Azure outage: Azure’s Front Door service suffered a major disruption due to a misconfiguration, impacting services like Outlook, Xbox, Microsoft 365, and even third-party platforms like Starbucks and Alaska Airlines. The Azure website states a little more than disruption. "Azure Front Door - Connectivity issues - Observing recovery Starting at approximately 16:00 UTC on 29 October 2025, customers and Microsoft services leveraging Azure Front Door (AFD) may have experienced latencies, timeouts, and errors. We have confirmed that an inadvertent configuration change was the trigger event for this issue. Affected Azure services may have included, but were not limited to: App S...
Read more