Six months ago, Mercor was flying high after raising a $350 million Series C round that valued the AI data training startup at $10 billion. But the company found itself in trouble after admitting on March 31 that it had been the target of a data breach.
Since then, a group of hackers claimed to have obtained 4TB of stolen data from Mercor systems, including candidate profiles, personally identifiable information, employer data, source code, and API keys. Murko would not comment on the authenticity of the data, only reiterating that it was “investigating” and that it would “continue to communicate directly with our customers and contractors as appropriate and deploy the resources necessary to resolve the issue as quickly as possible.”
Mercor said its data breach was the result of a hack into LiteLLM, an open source tool. This tool is so popular that it is downloaded millions of times a day. For 40 minutes, the tool harbored credential harvesting malware, malicious software that could steal login credentials. These credentials were used to gain access to more software and accounts, which allowed them to harvest more credentials, and so on.
There was no official acknowledgment of how much data was leaked from Mercor, but there were repercussions. Meta has suspended its contract with Mercor indefinitely, sources told Wired. (Mercor declined to comment to TechCrunch on this.)
Like other contract AI data training companies, Mercor handles some of modelers’ biggest trade secrets: the custom datasets and processes they use to train their models. Meta continued to work with Mercor even after spending $14.3 billion on Mercor’s competitor, Scale AI.
Good news for Mercor (maybe…we’ll see): OpenAI also confirmed to Wired that it was investigating Mercor’s breach exposure, but said it did not suspend or terminate its contract at the time. However, TechCrunch has heard from multiple sources that other large model manufacturers may also be weighing their relationships with Mercor following the breach. However, not enough details have been confirmed yet to name it.
Meanwhile, five of Mercor’s contractors have filed lawsuits alleging personal data exposure, Business Insider reports. It remains to be seen whether these lawsuits represent a serious threat or are merely opportunistic and vexatious. (Merko declined to comment.)
Tech Crunch Event
San Francisco, California
|
October 13-15, 2026
One lawsuit reviewed by TechCrunch also named LiteLLM and Delve as defendants. This is rough and far-fetched, but the connection is: LiteLLM achieved security certification using AI compliance startup Delve. Delve was accused by an anonymous whistleblower of falsifying data for security authentication and using rubber-stamp auditors.
Security certification does not directly prevent hackers from launching successful attacks, but is intended to ensure that a company has processes in place to minimize such threats.
Delve has denied these claims while also pushing for operational changes, but it has hurt itself to the point that Y Combinator has cut ties with the company.
LiteLLM has ditched Delve and is now working with other AI compliance startups to regain security certification. LiteLLM also released a full report on the security incident.
However, Mercor itself is not a Delve customer, the company confirmed to TechCrunch. But if Mercor’s fallout continues, a lot of revenue could be at stake. Before the data breach, the company was on track to hit more than $1 billion in annual revenue earlier this year, anonymous sources told The Information.
