Meta Halts Mercor Partnership Following AI Data Breach
▼ Summary
– Meta has indefinitely paused all work with data contractor Mercor while investigating a major security breach at the firm.
– Mercor generates secret, proprietary training datasets for major AI labs like OpenAI and Anthropic, which are a core component of their AI models.
– The breach is linked to a supply-chain attack by a group called TeamPCP, which compromised updates for the AI tool LiteLLM.
– Mercor contractors on Meta projects cannot log hours, effectively putting them out of work until the pause is lifted.
– A separate group falsely claiming to be Lapsus$ has attempted to sell alleged Mercor data, but researchers attribute the hack to TeamPCP.
In a significant development for the AI industry, Meta has suspended its partnership with the data contractor Mercor following a major security breach. The indefinite pause, confirmed by sources, comes as other leading AI labs reassess their own engagements with the firm. These companies rely on a handful of specialized contractors like Mercor to create the proprietary training data essential for developing advanced models such as ChatGPT and Claude. The secrecy surrounding these datasets is paramount, as they contain the core ingredients that give each lab’s AI a competitive edge, making any potential exposure a serious concern.
While OpenAI continues its current projects with Mercor, a spokesperson confirmed the company is investigating the incident to understand any potential exposure of its data. The spokesperson emphasized that no user data was affected. Anthropic has not provided comment. Mercor acknowledged the attack in a March 31 email to staff, citing a global security incident that impacted its systems alongside thousands of other organizations. The fallout is immediate for some workers, as contractors assigned to Meta projects have been told they cannot log hours until further notice, effectively putting them out of work. The company is reportedly attempting to find other assignments for those impacted.
Internally, Mercor has not fully disclosed the reason for the Meta project halt. In one Slack channel dedicated to a Meta initiative, a project lead stated the company was “currently reassessing the project scope.” The breach itself is linked to a compromise of the AI API tool LiteLLM, orchestrated by an attacker known as TeamPCP. This supply-chain attack, which may have thousands of victims, highlights the acute vulnerability when sensitive AI development pipelines are interrupted. The data handled by firms like Mercor and its competitors, including Scale AI and Labelbox, is so valuable that these companies operate under a veil of extreme secrecy, often using internal codenames for projects.
Complicating the situation, a group using the infamous Lapsus$ moniker claimed responsibility for breaching Mercor this week, offering to sell vast amounts of alleged company data on cybercrime forums. However, security researchers note that the Lapsus$ name is frequently adopted by various actors and that Mercor’s own confirmation points to TeamPCP as the likely culprit. TeamPCP has been conducting an aggressive supply chain hacking spree, collaborating with ransomware groups like Vect and even deploying a politically tinged data-wiping worm against cloud instances with Farsi language settings or Iranian time zones.
Security analyst Allan Liska of Recorded Future states that while financial motivation is TeamPCP’s primary driver, geopolitical elements are also present, though difficult to verify with a new group. Regarding the Lapsus$ claim, Liska adds that the dark web posts show “absolutely nothing” connecting the Mercor data to the original hacking collective. This incident underscores the high-stakes security challenges facing the secretive ecosystem of AI data contractors, where a single breach can disrupt the work of tech giants and call the integrity of entire training pipelines into question.
(Source: Wired)
