The extortion group Lapsus$ published on April 4, 2026, a four-terabyte file containing biometric data from over 40,000 collaborators of Mercor, a platform that recruits contractors to train artificial intelligence models. The leak includes voice recordings, document scans, and verification selfies, which has triggered five class-action lawsuits in ten days due to a lack of warning about the use of voiceprints as a permanent biometric identifier.
Voice cloning with fifteen seconds of sample 🎙️
The technical risk lies in the fact that high-quality voice cloning only needs fifteen seconds of clean audio to replicate a vocal identity. The Mercor recordings, which last between two and five minutes under optimal conditions, provide sufficient material to generate synthetic voice models. This turns each file into a vector for impersonation, without those affected being able to revoke their voiceprint. Voice biometrics lack mechanisms for change, unlike passwords or physical tokens, amplifying the potential damage from extortion or automated phone fraud.
Your voice is no longer yours, it's a training file 🤖
The most curious aspect of the case is that those affected worked to train AI models, and now they themselves serve as an involuntary dataset for another type of artificial intelligence. Mercor asked them to speak clearly to improve algorithms but forgot to mention that their voice would never be private again. With fifteen seconds of recording, any open-source script can imitate a contractor asking for a loan. At least, if their faces are stolen via selfies, they can wear sunglasses; for the voice, only silence remains.