Mercor is a $10 billion AI staffing company that supplies the human workforce training ChatGPT, Meta's models, and Anthropic's Claude: doctors, lawyers, and journalists doing the reinforcement learning the labs would rather not advertise. Last month, hackers walked out with 4 terabytes of their data, including 40,000 Social Security numbers, passport scans, and W9 tax forms. Mercor said nothing.

The entry point was three steps upstream. LightLLM, an open-source Python tool downloaded 95 million times a month, had malicious code quietly pushed into a public repository. Forty minutes later, attackers had 900GB of Mercor's source code, 200GB of contractor personal data, and a direct window into the training pipelines of the biggest AI labs in the world. A company valued at $10 billion, fresh off a $350 million Series C, had zero multi-factor authentication on the systems holding that data.

The SOC 2 certification that was supposed to catch exactly this? A whistleblower confirmed the auditing firm was rubber-stamping its reviews. The people certifying AI infrastructure as secure weren't checking. They were signing.

If you work in AI, use AI tools, or assumed someone responsible was watching the infrastructure, this is what that looks like.

ABOUT SLOP WORLD

AI news with receipts. Juan Faisal and Kate Cook fact-check the claims Big Tech is making about AI, follow the money, and break down what it actually means for your job, your data, and your daily life. From leaked data and corporate cover-ups to AI schools, stolen identities, and layoff headlines that don't add up, we cover the AI stories that everyone's hyping but nobody's verifying. New episodes every Thursday.

DISCLAIMER

All content is commentary and opinion based on publicly available documents, interviews, and verifiable sources. References to "scams," "grifts," or related terms reflect our editorial opinion, not legal conclusions. Anyone featured who believes a statement is inaccurate may contact us.

CHAPTERS

00:00 A $10B AI Contractor Got Hacked. 40,000 SSNs Gone.

01:45 Meet Mercor: The Hidden Company Training ChatGPT

04:07 How the Hack Worked in 40 Minutes

07:27 What a Stolen SSN Does to You

09:11 The Security Audit Was a Rubber Stamp

13:52 The Workers Knew. Nobody Listened.

16:42 Who F***ed Up: Mercor, the AI Labs, or Everyone?