Back to Blog
April 9, 2026 Julie Bort

Mercor Faces Fallout After Major Data Breach

Mercor Faces Fallout After Major Data Breach Mercor Faces Fallout After Major Data Breach Mercor Faces Fallout After Major Data Breach

After Data Breach, $10B-Valued Startup Mercor Faces Significant Repercussions

Six months after securing a massive $350 million Series C funding round that valued it at $10 billion, AI data training startup Mercor is grappling with a severe data breach that occurred on March 31, 2026. The breach, reportedly linked to a compromise of the open-source tool LiteLLM, has led to significant fallout for the company.

The Data Breach and Its Immediate Aftermath

A hacker group has claimed to have exfiltrated 4TB of data from Mercor's systems, including sensitive information such as candidate profiles, personally identifiable information (PII), employer data, source code, and API keys. Mercor has acknowledged the breach and stated it is under investigation, promising to communicate with customers and contractors directly.

Root Cause: LiteLLM Vulnerability

The breach is attributed to a security flaw in the widely used open-source tool LiteLLM. For a period of 40 minutes, LiteLLM reportedly contained credential-harvesting malware, which attackers exploited to gain access to Mercor's systems and subsequently steal credentials, leading to a cascade of further access.

Repercussions and Client Reactions

  • Meta Pauses Contracts: Meta has indefinitely paused its contracts with Mercor, citing concerns over the potential exposure of AI industry secrets. Mercor handles critical custom datasets and processes used by AI model makers.
  • OpenAI Investigating: OpenAI is also investigating its exposure but has not yet paused or ended its contracts.
  • Other Clients Weighing Options: Multiple sources indicate that other major AI model makers are re-evaluating their relationships with Mercor following the breach.

Legal Challenges and Related Issues

  • Contractor Lawsuits: Five of Mercor's contractors have filed lawsuits alleging exposure of their personal data.
  • LiteLLM and Delve Lawsuit: One lawsuit has also named LiteLLM and Delve as defendants. This stems from allegations that Delve, an AI compliance startup that provided security certifications to LiteLLM, may have faked data for its certifications. Delve has faced its own controversies, including Y Combinator severing ties with the company.
  • LiteLLM's Response: LiteLLM has since parted ways with Delve and is working with another compliance startup. They have also published a detailed report on the security incident.

Financial Impact

Prior to the data leak, Mercor was reportedly on track to achieve over $1 billion in annualized revenue. The full extent of the financial impact from client losses and legal challenges remains to be seen.

TechCrunch Disrupt 2026 Promotion

  • Limited-Time Offer: Save up to $500 on TechCrunch Disrupt 2026 passes. Offer ends April 10, 11:59 p.m. PT.
  • Event Details: Disrupt 2026 will be held in San Francisco, CA, from October 13-15, 2026, bringing together founders, investors, and tech leaders for sessions, networking, and innovation.
  • Register Now: Link to registration