Anthropic's 'Too Dangerous' Mythos Model Accessed via URL Guessing After Mercor Breach

A private Discord group accessed Anthropic's unreleased Mythos model by guessing the endpoint URL derived from naming conventions leaked in the Mercor data breach three weeks prior, using a contractor's eval credentials.

1 min read|agenticonsult Intelligence

Anthropic's 'Too Dangerous' Mythos Model Accessed via URL Guessing After Mercor Breach

Anthropic had publicly stated its Mythos model was "too dangerous to release," yet a group in a private Discord gained access by guessing the model's endpoint URL — inferring Anthropic's naming conventions from a Mercor data breach three weeks prior. The group then used a contractor's legitimate eval credentials to authenticate and has been using the model to build websites. Gary Marcus's summary: "The AI that finds zero-days in every operating system on earth was defeated by address bar autocomplete."

Why It Matters

The incident exposes a foundational API security failure at a lab that publicly claimed to be withholding a dangerous model for safety reasons — access controls relying only on obscurity rather than authentication depth are insufficient for any model deemed too hazardous to release, and the Mercor breach as the pivot point makes this a supply-chain-adjacent access event.

This breaking-news item was assembled from the cited primary source with AI assistance. It is intended for rapid situational awareness — refer to the original publication for the definitive statement.

Anthropic's 'Too Dangerous' Mythos Model Accessed via URL Guessing After Mercor Breach

Anthropic's 'Too Dangerous' Mythos Model Accessed via URL Guessing After Mercor Breach

Why It Matters

Live Intel Feed