Mercor hit by ransomware attack with candidate data and source code up for sale
Mar 31, 2026
Key Points
- Mercor's ransomware breach exposes candidate profiles and source code, with attackers tentatively linked to Lapsus (Shiny Hunters), an international extortion group.
- If stolen data spans millions of candidates, Mercor faces Equifax-scale liability; the payments giant paid roughly $400 per affected individual.
- Customers who purchased access to Mercor's candidate database now risk that data circulating freely, gutting the product's core value.
Summary
Mercor, a recruiting and talent platform, was hit by a ransomware attack. Threat actors claim to have stolen candidate profiles, source code, video files, and Tailscale VPN data. The attackers posted the breach online and solicited bids for the stolen materials.
The breach's scope remains unclear. The attackers may be exaggerating what they actually obtained, but the exposure is material. If the stolen data includes personally identifiable information on millions of candidates and Mercor faces an Equifax-style settlement, the company could face significant liability. Equifax paid roughly $400 per affected individual. A similar payout structure could result in substantial costs for Mercor if its database is comparably large.
The attack is tentatively attributed to Lapsus, also known as Shiny Hunters, an international extortion-focused hacker group that Microsoft classifies as Strawberry Tempest. Members of the group were arrested in Brazil and the UK in 2022.
The damage extends beyond Mercor's balance sheet. Customers who paid for access to Mercor's candidate data now risk that data circulating freely, which undermines the product's core value. Individuals whose information was exposed face direct personal risk.