Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Six months ago, Mercur was flying high After raising a massive $350 million Series C Which values the AI data training startup at $10 billion. But after confession On March 31, it was the target of a data breachthe company was facing a world of problems.
Since then, a group of hackers has claimed to have had 4 terabytes of data stolen from Mercor’s systems, including candidate profiles, personally identifiable information, employer data, source code, and API keys. Mercur did not comment on the authenticity of the data, confirming only that it is investigating the matter and “will continue to communicate with our customers and contractors directly as appropriate and allocate the necessary resources to resolve the problem as soon as possible.”
Mercur said its data breach was… Result of hacking of the open source tool LiteLLM. This tool is so popular that it is downloaded millions of times daily. For 40 minutes, the tool contained credential harvesting malware, which is rogue software that can steal login credentials. These credentials were used to access more programs and accounts, which I used to harvest more credentials, and so on.
While there has been no official acknowledgment of the amount of data collected by Merkur, there have been repercussions nonetheless. Meta has paused its contracts with Mercor indefinitely. Wired sources said. (Merkur declined to comment to TechCrunch on this matter.)
Like other contract AI data training companies, Mercor handles some of model makers’ biggest trade secrets: custom datasets and the processes they use to teach their models. This is very important to them even after he died $14.3 billion on Merkur competitor Scale AII continued to work with Mercur.
In some good news for Mercor (maybe…we’ll see): OpenAI also confirmed to Wired that it was investigating Mercor’s breach, but said it was not pausing or terminating its contracts at the time. However, TechCrunch has heard from multiple sources that other large model makers may also be considering their relationships with Mercor following the hack, though we haven’t confirmed enough details to name names yet.
Meanwhile, five Mercur contractors filed lawsuits, Business Insider Reportsdue to the alleged exposure of their personal data. It remains to be seen whether these lawsuits represent a serious threat or are merely opportunistic and annoying. (Mercur declined to comment.)
TechCrunch event
San Francisco, California
|
October 13-15, 2026
One lawsuit, reviewed by TechCrunch, even named LiteLLM and Delv as defendants. This is wild, and perhaps a stretch, but here’s the connection: LiteLLM used AI compliance startup Delve to obtain its security certifications. Wading He was accused By an anonymous whistleblower for allegedly falsifying data to obtain security certificates and using rubber-checkers.
A security certificate does not directly prevent hackers from launching successful attacks, but its purpose is to ensure that companies have processes in place to mitigate such threats.
Although Delve has denied the allegations while simultaneously making operational changes, it was a world of hurt in itself. To the point where Y Combinator cut ties With the company.
LiteLLM I gave up on Delphi It is now working with another AI startup to get its security certifications again. LiteLLM is also published Full report On the security incident.
But Mercor itself was not a Delve customer, the company confirmed to TechCrunch. However, if the fallout continues for Mercur, a lot of revenue could be at stake. The company was reportedly on track to achieve annual revenues of more than $1 billion earlier this year before the data leak An anonymous source of information said.