Six months ago, Mercor was flying high after raising a massive $350 million Series C that valued the AI data training startup at $10 billion. But after admitting on March 31 that it was the target of the data breach, the company was facing global problems.
Since then, the hacking group said it recovered 4TB of stolen data from Mercor’s systems, including candidate profiles, personally identifiable information, employer data, source code, and API keys. Mercor did not comment on the authenticity of the data, insisting only that it is investigating and will “continue to communicate with our customers and contractors directly as appropriate and devote the necessary resources to resolve this matter as soon as possible.”
Mercor said its data breach was the result of a hack of the open source tool LiteLLM. This tool is so popular that it is downloaded millions of times a day. For 40 minutes, the tool contained malware – malicious software that could steal login information. Those credentials were used to gain access to multiple software and accounts, which they used to harvest additional credentials, and so on.
Although there has been no official acknowledgment of how much data was collected from Mercor, there were similar results. Meta has suspended its contracts with Mercor indefinitely, sources told Wired. (Mercor declined to comment to TechCrunch about this.)
Like other AI data training contract companies, Mercor hosts some of the model makers’ biggest trade secrets: the custom datasets and processes they use to train their models. This is so important to them that even after Meta spent $14.3 billion on Mercor’s Scale AI competition, it continued to work with Mercor.
In the area of good news for Mercor (maybe…we’ll see): OpenAI also confirmed to Wired that it was investigating its disclosures in violation of Mercor’s law, but said it did not pause or terminate its contracts at that time. However, TechCrunch has heard from multiple sources that other major model makers may also scale back their relationship with Mercor after the breach, though we haven’t confirmed enough naming details yet.
Meanwhile, five Mercor contractors have filed lawsuits, Business Insider reports, over alleged disclosures of personal data. Whether these suits represent a serious threat or are merely opportunistic remains to be seen. (Mercor declined to comment.)
Techcrunch event
San Francisco, CA
|
October 13-15, 2026
One lawsuit, reviewed by TechCrunch, even named LiteLLM and Delve as defendants. This is natural, and perhaps a stretch, but here’s the connection: LiteLLM used AI compliance startup Delve to get its security certifications. Delve has been accused by an anonymous person of forging security certifications and using rubber-stamping auditors.
A security certificate does not directly prevent hackers from launching a successful attack, but is intended to ensure that companies have procedures in place to mitigate such threats.
Although Delve denied those allegations while simultaneously making operational changes, it was a world of hurt, until Y Combinator severed ties with the company.
LiteLLM has left Delve and is now working with another AI compliance startup to regain its security certifications. LiteLLM has also published a comprehensive report on the security incident.
But Mercor itself was not a Delve customer, the company confirmed to TechCrunch. If, however, Mercor’s downfall continues, more revenue could be at risk. The company was reportedly on the cusp of earning more than one billion in annual revenue at the beginning of the year before the data leak, an anonymous source told The Information.
