Meta Pauses Work With AI Data Vendor Mercor After Security Breach Exposes Training Secrets
Meta has paused all work with data contracting firm Mercor following a major security breach that potentially exposed proprietary AI training data. The indefinite pause underscores the extreme sensitivity of the data that powers the world's most advanced AI models.
What Happened
Mercor, one of the few firms that OpenAI, Anthropic, and other AI labs rely on for generating training data, confirmed a security incident on March 31. The breach appears connected to an attacker known as TeamPCP, who compromised two versions of the AI API tool LiteLLM in a broader supply chain hacking campaign.
- Meta has indefinitely paused all Mercor projects
- OpenAI is investigating but has not stopped current projects
- Other major AI labs are reassessing their relationships with Mercor
Why This Matters
Mercor and competitors like Surge, Handshake, Scale AI, and Labelbox hire massive networks of human contractors to generate proprietary datasets for AI model training. This data is considered among the most valuable trade secrets in the industry because it can reveal to competitors — including Chinese AI labs — key details about how models are trained.
The contractors use internal codenames for projects. One Meta-specific initiative called "Chordus" focused on teaching AI models to use multiple internet sources to verify responses to user queries.
The Attackers
TeamPCP, which has been gaining prominence through a series of supply chain attacks, appears financially motivated according to Allan Liska of Recorded Future. The group has also been spreading a data-wiping worm called "CanisterWorm" through vulnerable cloud instances with Farsi defaults or Iranian time zone settings.
A separate group claiming the name "Lapsus$" offered to sell alleged Mercor data on dark web forums, including 200+ GB databases, nearly 1 TB of source code, and 3 TB of video. However, researchers say many cybercriminal groups now adopt the Lapsus$ name, and the actual attacker is likely TeamPCP.
Impact on Contractors
Mercor contractors staffed on Meta projects cannot log hours until projects resume. The company is working to find additional projects for those impacted, according to internal conversations viewed by WIRED.
Broader Implications
This breach highlights the fragility of AI supply chains. As AI companies increasingly rely on third-party data vendors, the security of these intermediaries becomes a critical vulnerability. The incident could accelerate the trend of AI labs bringing data generation in-house to protect proprietary training methodologies.