Six months ago, Mercor was flying high after raising a whopping $350 million Series C that valued the AI data training startup at $10 billion. But after admitting on March 31 that it was the target of a data breach, the company is facing a world of problems.
Since then, a hacker group has claimed to have obtained 4TB of stolen data from Mercor’s systems, including candidate profiles, personally identifiable information, employer data, source code and API keys. Mercor has not commented on the authenticity of the data, simply reiterating that it is investigating and will “continue to communicate with our customers and contractors directly as necessary and devote the necessary resources to resolve the issue as soon as possible.”
Mercor said its data breach was the result of a hack of its open source tool LiteLLM. This tool is so popular that it is downloaded millions of times a day. For 40 minutes, the tool contained credential harvesting malware — rogue software that could steal login credentials. These credentials were used to gain access to more software and accounts, which he used to collect more credentials and so on.
While there have been no official confirmations of how much data was collected by Mercor, there have been implications. Meta terminated its contracts with Mercor indefinitely, sources told Wired. (Mercor declined to comment to TechCrunch about this.)
Like other conventional AI data training companies, Mercor handles some of the model builders’ biggest trade secrets: the custom datasets and processes they use to train their models. This is so important to them that even after Meta spent $14.3 billion on its competitor Mercor Scale AI, it continued to work with Mercor.
In one spot of good news for Mercor (maybe…we’ll see): OpenAI also confirmed to Wired that it was investigating its exposure to the Mercor breach, but said it had not terminated or terminated its contracts at the time. However, TechCrunch has heard from multiple sources that other major model makers may also be weighing their relationships with Mercor following the breach, though we haven’t confirmed enough details to name names yet.
Meanwhile, five of Mercor’s contractors have filed lawsuits, reports Business Insiderregarding the alleged exposure of their personal data. Whether these suits represent a serious threat or are just opportunistic and annoying remains to be seen. (Mercor declined to comment.)
Techcrunch event
San Francisco, California
|
13-15 October 2026
One lawsuit, reviewed by TechCrunch, even named LiteLLM and Delve as defendants. This is wild, and maybe long, but here’s the connection: LiteLLM used AI compliance startup Delve to get its security certifications. Delve has been accused by an anonymous whistleblower of allegedly falsifying data for security certificates and using rubber-stamping controllers.
Security certification does not directly prevent hackers from launching successful attacks, but is intended to ensure that companies have procedures in place to minimize such threats.
Although Delve denied these claims while simultaneously launching operational changes, it was in a world of hurt of its own, to the point where Y Combinator cut ties with the company.
LiteLLM left Delve and is now working with another AI compliance startup to regain its security certifications. LiteLLM also posted full report for the security incident.
But Mercor itself was not a Delve customer, the company confirmed to TechCrunch. If the fallout for Mercor continues, however, a lot of revenue could be at stake. The company was reportedly on pace to reach more than $1 billion in annual revenue earlier this year before the data leak. an unnamed source told The Information.
