April 27, 2026
Your voice just got hacked
4TB of voice samples just stolen from 40k AI contractors at Mercor
Hackers grabbed voices and IDs — commenters call it a deepfake starter kit
TLDR: Hackers stole 4TB of voices plus IDs from 40,000 Mercor contractors, a combo tailor-made for deepfake scams. Commenters blast data hoarding and weak security, push “collect less” and real penalties, and warn voice-based security is toast for banks, workplaces, and even grandma calls.
The internet is in meltdown over Mercor’s colossal leak: 4TB of voices paired with ID scans from 40,000 AI contractors. The author, Oravys, doesn’t mince words, calling it a “deepfake-ready kit.” And the crowd agrees — this isn’t just a breach, it’s a how-to bundle for impersonation scams. Privacy hardliners are shouting “Datensparsamkeit” (be frugal with data) like a battle cry, basically: if companies didn’t collect it, it couldn’t leak. One commenter sighed, “you could see this coming a mile away,” while others raged that Mercor “tricked” contractors with the friendly “training data” label.
The stakes? Terrifyingly simple: voice clones can smooth-talk banks, HR, and even video calls — think the Hong Kong case where a fake team video convinced a worker to wire $25 million (BBC). Commenters dunked on “voice as a password,” joking, “my voice needs 2FA now” and “captcha for my larynx.” The Wall Street Journal says cloning needs 15 seconds; Mercor recordings reportedly run minutes. Do the math.
Five lawsuits landed within days, and the mob wants regulators to make an example. The practical chorus: treat your voice like a leaked password — you can’t change it, but you can limit what it unlocks. Meanwhile, infosec old-timers nod to Germany’s data-minimization ethos (wiki) and point to past scam playbooks cataloged by Krebs on Security. The vibe: furious, fatalistic, and very, very online.
Key Points
- •Lapsus$ leaked approximately 4TB of Mercor contractor data on April 4, 2026, pairing voice biometrics with government ID scans.
- •The archive reportedly covers over 40,000 contractors who provided scripted, studio-quality voice recordings during onboarding.
- •Five lawsuits were filed within ten days, alleging Mercor collected permanent biometric identifiers under a training-data pretext.
- •Mercor’s 2–5 minute clean audio samples exceed the ~15-second threshold for effective voice cloning reported by the Wall Street Journal.
- •Documented misuse scenarios include bank voiceprint bypass, employer vishing, deepfake video calls (Arup case), insurance fraud (Pindrop data), and emergency impersonation scams (FBI IC3 stats).