Mercor, a startup that provides training data to large AI companies, has confirmed that it was the victim of a security breach that may have exposed important company and user data.
The three-year-old startup, valued at $10 billion, is recruiting experts from medicine to law to literature to help provide insights that improve the capabilities of AI models. Its clients include Anthropic, OpenAI, and Meta.
According to unconfirmed reports circulating online, datasets used by some Mercor customers and information about those customers’ privacy plans may have been compromised in the breach.
The incident was linked to a supply chain attack involving LiteLLM, a widely used open source library for connecting applications to AI services.
The company confirmed to Good luck was “one of thousands of companies” affected by a supply chain attack on LiteLLM, which has been linked to a hacking group called TeamPCP. Mercor spokeswoman Heidi Hagberg said that the company “moved immediately” to catch and fix the incident and said a third-party investigation is ongoing.
“The privacy and security of our customers and contractors is at the core of everything we do at Mercor,” Hagberg said. “We will continue to communicate directly with our customers and contractors as appropriate and provide the necessary resources to resolve the issue as quickly as possible.”
Mercor is considered one of the hottest start-ups in Silicon Valley, having raised $350 million in a Series C round led by venture capital firm Felicis Ventures last October.
The TeamPCP hacking group planted malicious code into LiteLLM, a tool used by developers to install AI services from companies including OpenAI and Anthropic, which is typically downloaded millions of times a day, according to security firm Snyk. The code was designed to harvest documents and spread throughout the industry before it was identified and removed within hours of discovery.
Lapsus$, a notorious hacking group, later claimed to have targeted Mercor and obtained its data. It was not immediately clear how the gang obtained the data, and Mercor did not respond to direct inquiries from Good luck about the hacking group’s allegations. TeamPCP is thought to have recently started collaborating with Lapsus$ as well as other ransomware and hacking groups, according to security researchers from cybersecurity firm Wiz quoted in an Infosecurity Magazine story.
TeamPCP is known for engineering so-called supply chain attacks, where malware is planted in codebases or software libraries that are widely used by programmers when writing their code. Lapsus$, on the other hand, is a classic hacking group, known for social engineering and phishing attacks that focus on stealing user login credentials and then using those credentials to access and steal valuable information.
Lapsus$ published samples of allegedly stolen data on its leak site, according to TechCrunch, including what appeared to be Slack data, internal ticket information, and two videos that allegedly show conversations between Mercor’s AI systems and contractors on its platform. Lapsus$ claims to have found four terabytes of data in total, including source code and database records. One terabyte is about as much data as found in 1,000 hours of video or 1,000 copies of Encyclopedia Britannica.
Mercor may be a harbinger of a coming wave of hacking attempts stemming from a supply chain attack. TeamPCP has publicly announced its intention to partner with ransomware and extortion groups to target the most affected companies, according to cybersecurity trade publication Cybernews. If true, the strategy would mirror previous campaigns by extortion groups.
In 2023, an attack from the Cl0p gang that exploited a vulnerability in MOVEit, a widely used file transfer tool, breached hundreds of organizations simultaneously, affecting nearly 100 million people across government agencies, financial institutions and healthcare providers. Attempts to rig the campaign lasted for months.
#Mercor #billion #startup #confirms #picked #major #security #incident #Good #luck