Six months after raising $350 million at a $10 billion valuation, AI startup Mercor is dealing with the consequences of a serious data breach that has put its biggest client relationships at risk and triggered legal action from affected contractors.
Mercor confirmed the breach on March 31, attributing it to a compromise of LiteLLM, a widely used open-source tool downloaded millions of times daily. For roughly 40 minutes, LiteLLM harbored credential-harvesting malware that stole login credentials and used them to access additional systems, compounding the damage in a chain reaction across connected accounts and software.
Since the disclosure, a hacker group has claimed to hold 4TB of data stolen from Mercor’s systems, including candidate profiles, personally identifiable information, employer data, source code, and API keys. Mercor has not confirmed or denied the authenticity of the claimed data, stating only that it is investigating and will continue communicating with customers and contractors as appropriate.
As TechJuice previously covered, Meta has paused its contracts with Mercor indefinitely. The pause is especially notable because Meta continued working with Mercor even after spending $14.3 billion to acquire Mercor’s competitor Scale AI, a sign of how much it valued the relationship.
OpenAI confirmed it was investigating its own exposure in the breach but said it had not paused its contracts at the time of reporting. Multiple other large model makers are also reportedly weighing their relationships with Mercor, though no further names have been confirmed.
Five of Mercor’s contractors have filed lawsuits over alleged personal data exposure. One lawsuit reviewed by TechCrunch named LiteLLM and AI compliance startup Delve as co-defendants. The connection being that LiteLLM used Delve to obtain its security certifications. Delve has since been accused by an anonymous whistleblower of allegedly faking data for those certifications and using rubber-stamp auditors. Delve denied the allegations but made operational changes. Y Combinator subsequently cut ties with the company, and LiteLLM dropped Delve in favour of a different compliance partner.
The sequence of events has put the broader AI supply chain under scrutiny, with security researchers noting that trusted intermediary tools represent an underexamined attack surface across the industry.
