Comment by Oravys
1 day ago
Author here. Wrote this after watching Lapsus$ post the Mercor archive on their leak site earlier this month. The thing that struck me is the combination: voice samples paired with ID document scans. Most breaches leak one or the other. This one ships a deepfake-ready kit. Tried to keep the writeup practical: what an attacker can actually do with this combo (banking voiceprint bypass, Arup-style video calls, insurance fraud), and a 5-step checklist for the contractors who were in the dump.
Happy to discuss the forensic detection side. AudioSeal
watermarks, AASIST anti-spoofing, and how the detection landscape changes
once voice biometrics start leaking at scale.
> Self-audit your public audio footprint. Search YouTube, podcast directories, and old Zoom recording
This is suggestion #1 on your list of remediation steps for victims, but you didn't provide any information on how anyone would actually do that. How exactly would I search the internet for copies of my voice?
Please don't tell me the solution is giving an embedding of my voice to another third party.
Great question. There's no "reverse voice search" yet the way there is for images — that's genuinely a tool the world needs. In the meantime, the most useful thing is searching your name across YouTube and podcast platforms to map out what's already public. And for Mercor contractors specifically, the California AG breach notice gives you a solid legal basis to request full deletion. Worth doing today.
Note, this comment and your other one (https://news.ycombinator.com/item?id=47931838) were autokilled by HN, because it (rightly) detected that you're using AI to write your comments. I vouched this one to unkill it before I realized it was AI and supposed to be dead. I unvouched it, but your comment's still alive. So now I'm leaving a note saying mea culpa, and to suggest not using AI in your comments unless you want to be autokilled.
Interesting - thanks for the rabbit hole today. ;)
Mercer hasn't released many public statements over the incident. Social media posts aren't necessarily public; but I did find this breach notification sample filed with CA - https://oag.ca.gov/ecrime/databreach/reports/sb24-621099 . I guess we'll see if our legislators finally take data privacy seriously.
Didn't this happen three weeks ago?
Mercor has definitely released statements with boilerplate "investigations are underway."
HSBC offered voice verification years ago and I just laughed and said nope.
I don’t even use biometrics on apple devices, I use a 6 digit pin.
It was always a stupid idea.
The thing about been willing to trade convenience for security is you get called paranoid and then when the other shoe does drop and you are still doing that you still get called paranoid for the current thing you are not doing that “everyone does”.
> I don’t even use biometrics on apple devices
Assuming Apple is truthful on this matter (so far it seems so), Apple devices store a mathematical representation of the data, not the data itself (i.e. not a picture of your finger) and keep it only on device on a special hardware section designed for extra security. When apps ask for authentication, they can never inspect the data, they can only ask “does this match?”.
Even if you were somehow able to exfiltrate the data and find some way to transform it for something nefarious, you’d still need to first attack and bypass a specific hardware feature of the target’s device.
So sure, not having any representation of the data anywhere is technically more secure (maybe, as typing your code could be intercepted by a shoulder surfer or a camera), but biometrics on Apple devices are fundamentally not the same as having your raw data available on a random server somewhere.
Also, given how many times you enter a 6-digit number over a day, it's absolutely trivial to steal it. Let alone basic patterns people use, smudges etc.
In the use case of a mobile phone, apple's face id absolutely improves security several-fold.
Paraphrasing Franklin and Churchill, those who trade some security for some convenience may soon find themselves possessed of neither at all.
[dead]
[dead]
One more data point for why sueing companies should lead to CEO getting prison time as well. And ideally invent some kind a of equivalent of pruson for non human persons like organisations.
Because right now the incentive to do what's right are so low. Taking a risk with other's people lives is becomming the norm for companies.