Hacker News new | past | comments | ask | show | jobs | submit
Oravys | on: 4TB of voice samples just stolen from 40k AI contractors at Mercor
Author here. Wrote this after watching Lapsus$ post the Mercor archive on their leak site earlier this month. The thing that struck me is the combination: voice samples paired with ID document scans. Most breaches leak one or the other. This one ships a deepfake-ready kit. Tried to keep the writeup practical: what an attacker can actually do with this combo (banking voiceprint bypass, Arup-style video calls, insurance fraud), and a 5-step checklist for the contractors who were in the dump.

  Happy to discuss the forensic detection side. AudioSeal
  watermarks, AASIST anti-spoofing, and how the detection landscape changes
  once voice biometrics start leaking at scale.
Zetaphor | parent | next
> Self-audit your public audio footprint. Search YouTube, podcast directories, and old Zoom recording

This is suggestion #1 on your list of remediation steps for victims, but you didn't provide any information on how anyone would actually do that. How exactly would I search the internet for copies of my voice?

Please don't tell me the solution is giving an embedding of my voice to another third party.

Oravys | root | parent
Great question. There's no "reverse voice search" yet the way there is for images — that's genuinely a tool the world needs. In the meantime, the most useful thing is searching your name across YouTube and podcast platforms to map out what's already public. And for Mercor contractors specifically, the California AG breach notice gives you a solid legal basis to request full deletion. Worth doing today.
loading story #47931873
loading story #47932895
davsti4 | parent | next
Interesting - thanks for the rabbit hole today. ;)

Mercer hasn't released many public statements over the incident. Social media posts aren't necessarily public; but I did find this breach notification sample filed with CA - https://oag.ca.gov/ecrime/databreach/reports/sb24-621099 . I guess we'll see if our legislators finally take data privacy seriously.

loading story #47923394
| parent | next
{"deleted":true,"id":47925626,"parent":47919660,"time":1777315868,"type":"comment"}
noir_lord | parent | next
HSBC offered voice verification years ago and I just laughed and said nope.

I don’t even use biometrics on apple devices, I use a 6 digit pin.

It was always a stupid idea.

The thing about been willing to trade convenience for security is you get called paranoid and then when the other shoe does drop and you are still doing that you still get called paranoid for the current thing you are not doing that “everyone does”.

loading story #47932103
loading story #47930330
loading story #47927425
BiteCode_dev | parent
One more data point for why sueing companies should lead to CEO getting prison time as well. And ideally invent some kind a of equivalent of pruson for non human persons like organisations.

Because right now the incentive to do what's right are so low. Taking a risk with other's people lives is becomming the norm for companies.