4TB of voice samples stolen from 40k Mercor AI contractors

On April 4, 2026, Lapsus$ posted a 4TB data dump from Mercor containing voice recordings paired with government IDs from 40,000 AI contractors. The breach is different because of what's in it. The contractor onboarding process collected passport or driver's license scans, webcam selfies, and studio-clean voice recordings averaging 2-5 minutes per person. That combination gives attackers exactly what they need for high-fidelity voice cloning plus verified credentials to put those clones to work. Read how Mercor lost 40,000 voices.

The Wall Street Journal reported in February 2026 that voice cloning tools now need just 15 seconds of clean audio. The threat models are documented, not speculative. Attackers can bypass bank voiceprint verification. They can vish employers to redirect payroll. In 2024, a finance worker at Arup wired $25 million after a deepfake video call. Pindrop reported a 475% year-over-year increase in synthetic voice attacks against insurance call centers in 2025. Open-source models like Fish Audio's S2 Pro are making it easier for bad actors to bypass these checks. The FBI logged $2.3 billion in losses for victims aged 60 and over in 2026, with emergency impersonation calls the fastest-growing category.

For Mercor's enterprise clients, the breach creates a supply chain problem. Those 40,000 verified contractors are now potential vectors for impersonation attacks. Anyone relying on this contractor pool has to treat the entire workforce as compromised. Re-verification, anti-spoofing tools like AASIST and AudioSeal, rebuilding trust in identity verification. All because one company collected biometric data it couldn't protect.

Five lawsuits were filed within 10 days. Plaintiffs argue Mercor collected voice prints under a "training data" framing without making clear they were permanent biometric identifiers. You can't rotate your voice like a password. ORAVYS, which published the breach analysis, offers victims free voice checks to determine whether their biometrics appear in the dump. Commenters noted the irony of sending more voice samples to a security company. The German concept of "Datensparsamkeit," or data frugality, applies here. Companies shouldn't collect what they can't secure, especially when the damage is permanent.