Mercor, a three-year-old AI recruiting startup valued at $10 billion that works with some of the biggest names in artificial intelligence including OpenAI, Anthropic, and Meta, has confirmed a serious data breach in which the notorious hacking group Lapsus$ claims to have stolen four terabytes of data including source code, user databases, video interviews, and identity verification documents.
The startup, which recruits experts in fields ranging from medicine to law to literature to help provide data that improves the capabilities of AI models, confirmed that it was the victim of a security breach that may have exposed sensitive company and user data.
The breach is not a straightforward hack. It is a sophisticated supply chain attack that has already affected thousands of companies globally and is expected to affect thousands more, making Mercor one of the first publicly confirmed victims of what cybersecurity researchers are describing as one of the most significant supply chain attacks in the AI era.
What Is Mercor and Why Does This Matter
Mercor is a computer software company that operates an AI training data platform. The company connects leading artificial intelligence labs with domain experts for tasks such as reinforcement learning from human feedback, model evaluation and supervised fine-tuning. Mercor was founded in 2023 by Brendan Foody, Adarsh Hiremath and Surya Midha.
Mercor has reported facilitating more than $2 million in daily payouts to its network of contractors. Many of those contractors are based in India, where the platform has significant operations connecting Indian professionals in medicine, law, science, and other domains with AI companies that need their expertise for model training.
According to unconfirmed reports circulating online, datasets used by some of Mercor’s customers and information about those customers’ secretive AI projects may have been compromised in the breach. If confirmed, this would mean that sensitive information about the AI development work of OpenAI, Anthropic, and Meta could have been exposed in a single breach.
How the Attack Happened — The LiteLLM Supply Chain
The LiteLLM incident occurred on March 27 and was the result of the Trivy supply chain attack that was mounted a week before. Using a maintainer’s compromised credentials, the TeamPCP hacking group published two malicious LiteLLM PyPI package versions, namely 1.82.7 and 1.82.8, which were available for download for roughly 40 minutes. LiteLLM is estimated to be present in 36 percent of cloud environments.
LiteLLM is an open-source library that thousands of AI companies and developers use to manage connections to multiple AI model providers through a single unified interface. It is, in the AI development world, the equivalent of a widely trusted infrastructure component that almost everyone relies on without thinking about it.
TeamPCP injected a three-stage malicious backdoor into versions 1.82.7 and 1.82.8, which was designed to harvest credentials and establish persistent system access.
Although the malicious versions were only available for approximately 40 minutes, that window was sufficient for the packages to be automatically downloaded by thousands of companies including Mercor whose systems were configured to pull the latest version of the library automatically.
Mercor told TechCrunch that it was one of thousands of companies affected by the recent compromise of LiteLLM’s project, which was linked to a hacking group called TeamPCP.
What Lapsus$ Claims to Have Stolen
The hacking collective Lapsus$ has listed Mercor’s platform data for a live auction on the dark web, prompting interested buyers to make an offer. The threat actors claim to have exfiltrated the entirety of the 4-terabyte dataset by breaching the company’s Tailscale VPN. The extensively detailed stolen cache reportedly includes 939GB of platform source code, a 211GB user database, and 3TB of storage buckets containing video interviews and identity verification passports.
The identity verification passports detail is particularly alarming. Mercor’s platform requires contractors to verify their identity to use the platform, meaning passport data from potentially thousands of professionals globally including Indian doctors, lawyers, scientists, and other domain experts who contract through Mercor could be in the stolen dataset.
Lapsus$ shared a sample of data allegedly taken from Mercor which TechCrunch reviewed. The sample included material referencing Slack data and what appeared to be ticketing data, as well as two videos purportedly showing conversations between Mercor’s AI systems and contractors on its platform.
Who Are Lapsus$ and TeamPCP
TeamPCP is known for engineering so-called supply chain attacks, in which malware is planted inside codebases or software libraries that are widely used by programmers when writing their own code. Lapsus$ by contrast is an older hacking group, known for social engineering and phishing attacks that focus on stealing user log-in credentials and then using those credentials to gain access to and steal sensitive data.
TeamPCP is thought to have recently begun collaborating with Lapsus$ as well as other groups that specialise in ransomware and extortion, according to security researchers from the cybersecurity firm Wiz.
The collaboration between a supply chain attack specialist and an extortion specialist is a concerning development. TeamPCP gets inside thousands of companies through compromised open source libraries. Lapsus$ then monetises the access through extortion and dark web data sales. Together they represent a more industrialised and scalable attack model than either group could execute independently.
The Scale of the Wider Problem
Mercor is not the only victim and will not be the last. Threat hunters at vx-underground estimate the data thieves have exfiltrated data and secrets from 500,000 machines, and at RSA Conference, Mandiant Consulting CTO Charles Carmakal told reporters that the Google-owned incident response business knew of over 1,000 impacted SaaS environments that were actively dealing with the cascading effect of the TeamPCP supply chain attacks. That 1,000-plus downstream victims will probably expand into another 500, another 1,000, maybe another 10,000, Carmakal said.
Mercor may be an early indicator of a coming wave of extortion attempts stemming from the supply chain attack. TeamPCP has publicly stated its intention to partner with ransomware and extortion groups to target affected companies at scale. If true, that strategy would mirror campaigns carried out in the past by hacking groups. In 2023, an attack from the Cl0p ransomware gang that exploited a vulnerability in MOVEit, a widely used file transfer tool, breached hundreds of organisations simultaneously, ultimately affecting nearly 100 million individuals across government agencies, financial institutions, and health care providers.
What Mercor Has Said
Mercor spokesperson Heidi Hagberg confirmed that the company had moved promptly to contain and remediate the security incident. We are conducting a thorough investigation supported by leading third-party forensics experts. We will continue to communicate with our customers and contractors directly as appropriate and devote the resources necessary to resolving the matter as soon as possible.
Mercor said there has been a limited impact on our operations. The company has declined to answer specific questions about whether Lapsus$’s claims of four terabytes of stolen data are accurate, whether contractor passport data was accessed, or what specific customer data may have been exposed.
The India Dimension
For Indian professionals who have used Mercor’s platform to contract with AI companies, the breach raises specific concerns. Mercor has significant operations in India, connecting Indian professionals across medicine, law, and technical domains with AI training projects. The contractor verification process that Mercor uses includes identity documents. If the Lapsus$ claim of 3TB of storage buckets containing identity verification passports is accurate, Indian contractors on the platform may have had their passport data compromised.
Indian contractors who have worked with Mercor should monitor for any official communication from the company about what specific data was accessed and whether their personal information was part of the breach. The class action lawsuit investigation already underway in the United States may eventually extend to affected contractors globally.
Comments are closed.