Just six months ago, Mercor, an AI data training startup, was experiencing significant success, having secured a substantial $350 million Series C funding round that propelled its valuation to $10 billion. However, since disclosing on March 31 that it had been targeted by a data breach, the company has found itself embroiled in considerable challenges.
Subsequently, a hacker group has asserted that it successfully exfiltrated 4 terabytes of data from Mercor’s systems. This alleged stolen data includes sensitive information such as candidate profiles, personally identifiable information (PII), employer data, source code, and API keys. Mercor has not commented on the authenticity of these claims, reiterating only that it is conducting an investigation and "will continue to communicate with our customers and contractors directly as appropriate and devote the resources necessary to resolving the matter as soon as possible."
Mercor attributed its data breach to a compromise of the open-source tool LiteLLM, a utility so popular it sees millions of downloads daily. For a critical 40-minute period, the tool was infected with credential harvesting malware—malicious software designed to steal login credentials. These stolen credentials were then reportedly used to gain unauthorized access to additional software and accounts, facilitating a further cascade of credential harvesting.
While there has been no formal acknowledgment of the precise volume of data exfiltrated from Mercor, the incident has already triggered significant repercussions. Sources informed Wired that Meta has indefinitely suspended its contracts with Mercor. Mercor declined to comment to TechCrunch regarding this specific development.
Like other companies specializing in contract AI data training, Mercor is entrusted with some of the most crucial trade secrets of AI model makers: the bespoke datasets and proprietary processes they utilize to train their models. The strategic importance of this role is highlighted by Meta's continued engagement with Mercor, even after investing a substantial $14.3 billion in Mercor’s competitor, Scale AI.
In what could be a glimmer of positive news for Mercor, OpenAI confirmed to Wired that it is investigating its own potential exposure within Mercor’s breach, though it stated that it had not paused or terminated its contracts at the time. Nevertheless, TechCrunch has learned from multiple sources that other major model developers may also be re-evaluating their relationships with Mercor in the wake of the breach, although insufficient details have been confirmed to name specific entities.
Concurrently, Business Insider reports that five of Mercor’s contractors have filed lawsuits, alleging exposure of their personal data. Whether these legal actions represent a serious threat or are merely opportunistic nuisances remains to be seen. Mercor declined to comment on these lawsuits.
Notably, one lawsuit reviewed by TechCrunch broadened its scope to name both LiteLLM and Delve as defendants. This inclusion, while potentially far-reaching, stems from the fact that LiteLLM had engaged AI compliance startup Delve to obtain its security certifications. Delve itself has been accused by an anonymous whistleblower of allegedly fabricating data for security certifications and employing auditors who merely "rubber-stamp" approvals.
It is important to understand that a security certification does not directly prevent hackers from launching successful attacks but is instead intended to ensure that companies have robust processes and controls in place to minimize such threats.
Although Delve has denied these allegations while simultaneously instituting operational changes, the company has faced significant internal challenges, to the extent that Y Combinator ultimately severed its ties with the startup.
In response, LiteLLM has discontinued its partnership with Delve and is now collaborating with another AI compliance startup to re-obtain its security certifications. Furthermore, LiteLLM has published a comprehensive report detailing the security incident.
Mercor itself, however, confirmed to TechCrunch that it was not a direct customer of Delve. Should the fallout for Mercor continue, a substantial amount of revenue could be jeopardized. An anonymous source informed The Information that the company was reportedly on pace to achieve over $1 billion in annualized revenue earlier this year, prior to the data leak incident.
The Editorial Staff at AIChief is a team of professional content writers with extensive experience in AI and marketing. Founded in 2025, AIChief has quickly grown into the largest free AI resource hub in the industry.