Mercor just confirmed 4TB of contractor biometrics and SSNs were stolen. Three months to notify. Seven lawsuits already filed.

The AI recruiting platform that serves frontier labs just completed its investigation.

The breach happened March 24-30 through a compromised version of LiteLLM — an open-source tool downloaded millions of times per day across the AI industry.

4 terabytes walked out the door.

Passport scans. Social Security numbers. Facial biometrics. 3+ terabytes of AI video interviews. W-9 forms. Cloud API keys. Source code.

40,000+ contractors affected.

Mercor knew for three months before telling anyone. Notifications went out June 25 and 26. Seven class-action lawsuits are already filed in federal courts in California and Texas.

Mandiant led the investigation. Lapsus$ claimed the data. The malware was injected into a legitimate open-source package and sat undetected across thousands of deployments.

This is not a Mercor problem. This is an industry problem.

LiteLLM was one dependency in one tool. Every AI company running open-source infrastructure has the same attack surface. The supply chain is the perimeter now.

Audit every open-source dependency your AI stack touches. Rotate credentials. Assume your tooling is compromised until you can prove otherwise.

SOURCE: https://www.mercor.com/blog/update-on-mercor-security-incident/
VERIFIED: Mercor blog, The Record, TechCrunch, All About Cookies
SIGNAL: This is the first major supply chain breach to expose biometric data from the AI workforce. Seven lawsuits in a week. The regulatory response will set precedent for every AI company using open-source tooling.