Mercor says it was hit by cyberattack tied to compromise LiteLLM (techcrunch.com)
130 points by jackson-mcd 2 days ago
nope1000 11 hours ago
> The incident also prompted LiteLLM to make changes to its compliance processes, including shifting from controversial startup Delve to Vanta for compliance certifications.
This is pretty funny.
The leaked excel sheet with customers of Delve is basically a shortlist of targets for hackers to try now. Not that they necessarily have bad security, but you can play the odds
_pdp_ 9 hours ago
I am not defending Delve or anything and I hope they get what they deserver but there is no correlation between SOC2 certification and the actual cyber capability of a company. SOC2 and ISO27001 is just compliance and frankly most of it is BS.
nope1000 5 hours ago
Sure it's certainly not perfect and a lot of the documentation is something you just write for the audit and never look at it again but that's why I am saying play the odds. The average delve customer startup might be less secure that the average startup who has to justify their processes to a real auditor.
Lucasoato an hour ago
I went through SOC2 Type I and II. I’d say that most of that stuff is necessary, like splitting environments and so on. That doesn’t mean it’s anything close to sufficient to avoid being hacked.
It’s a framework to give you the direction, then if employees are careless (or even malicious), no security standard is complete enough to protect a company.
coldstartops 6 hours ago
Personally, I use them as frameworks to justify management processes.
A) I tie the cybersecurity activities to business revenue enabling outcomes (unblocked contracts), and second to reduced risk (as people react less to this when spending the buck).
B) with the political capital from point A) I actually operate a cybersecurity program, justify DevSecOps artefacts, threat modeling, incident response exercises, etc.
What this SOC2 reports, ISO27k certificates are, more like a standardization for communicating the activities of the org to outside people, and getting an external person to vet that the org doesn't bulls*t too much. but at the end of the day, the organization is responsible for keeping their house in order.
latchkey 28 minutes ago
According to SemiAnalysis, it is akin to getting a FAA certification.
snapcaster 4 hours ago
Some of it is, but things like "your stage/dev and production environments should be completely isolated from eachother" are valid and most tech companies get lazy on this front
aitchnyu 8 hours ago
Delve and Emdash. Are there more products or companies with similar names?
edgineer 7 hours ago
parliament32 2 hours ago
It was never about cyber capability. It's a liability transfer framework.
If a service provider has a control that says "we use firewalls on all network access points, and configure those firewalls to CIS benchmark whatever", and a third-party signs off with "yes we checked, they have the firewalls, and they're configured properly", you now have two parties you can sue when a security incident caused by lack of firewalls causes you material damage.
Your org's cyber insurance will also go down if you can say "all our vendors have third-party attested compliance, and we do annual compliance reviews".
sandeepkd 4 hours ago
Yes they may be a BS in certain cases, however its still better than nothing. They do allow the companies to consider the questions atleast instead of claiming unawareness and most importantly it facilitates the incremental improvement.
sebmellen 9 hours ago
It might feel like BS, and I'm inclined to agree with you because of the security theater aspect. (For example, Mercor had their verification done by what appears to be a legitimate audit firm.)
But it's not useless. It still forces you to go through a very useful exercise of risk modeling and preparation that you most likely won't do without a formal program.
cj 8 hours ago
sunir 7 hours ago
jacquesm 8 hours ago
robshippr 3 hours ago
Second major supply chain compromise in a week after the axios npm attack. 40 minutes and 500k machines affected. SOC2 won't catch this. The real question is whether your CI pipeline would have flagged a dependency change that happened between your last build and the one going to prod. Most teams have no visibility into that window at all.
cat-whisperer 16 minutes ago
all leaks are tied together
CafeRacer 7 hours ago
I am genuinely wonder if anyone have had success landing gigs at Mercor.
tankenmate 5 hours ago
Given their AI "hiring / onboarding" process all I can say is; couldn't have happened to a nicer company.
ffsoftboiled 3 hours ago
I know of a couple people. It was a pretty miserable experience.
bombcar 6 hours ago
The way to get a gig at Mercor is to hack their LLM so that it inserts you as already hired.
sharadov an hour ago
Could not happened to a more usurious company.
n1tro_lab 5 hours ago
The malicious LiteLLM versions were live for 40 minutes. Wiz estimates 500,000 machines were affected. LiteLLM is present in 36% of cloud environments. Forty minutes was enough.
aservus 11 hours ago
This is a good reminder that any tool handling sensitive data — even internal ones — needs to be transparent about where data goes. The assumption that SaaS tools protect your data is getting harder to defend.
lukewarm707 10 hours ago
I use llms to read the privacy policies that are too long to read. They guarantee almost nothing, unless you go out of your way to get an sla