A single 40-minute window of vulnerability has thrown one of AI’s most valuable startups into crisis. Mercor, the AI data training company valued at $10 billion after raising $350 million last fall, is now facing lawsuits, lost contracts, and serious questions about its future, according to TechCrunch AI.
Here’s what happened: on March 31, Mercor disclosed it was hit by a data breach. A hacker group now claims to have obtained 4TB of stolen data, including candidate profiles, personally identifiable information, employer data, source code, and API keys. Mercor hasn’t confirmed or denied the scope of what was taken.
How It Started
The breach traces back to LiteLLM, a popular open source tool downloaded millions of times daily. For just 40 minutes, LiteLLM harbored credential-harvesting malware. Those stolen credentials were used to hop across systems, harvesting more access along the way, until attackers reached Mercor’s data.
What makes this particularly damaging: Mercor handles some of the AI industry’s most sensitive secrets. The custom datasets and training processes that model makers use to teach their AI are the kind of intellectual property companies guard fiercely.
The Fallout So Far
The consequences are stacking up fast:
- Meta has paused its contracts with Mercor indefinitely, sources told Wired. This is notable because Meta had continued working with Mercor even after spending $14.3 billion on competitor Scale AI.
- OpenAI confirmed it’s investigating its exposure but hasn’t paused contracts yet.
- Multiple other large model makers are reportedly weighing their relationships with Mercor, though TechCrunch hasn’t confirmed enough details to name them.
- Five contractors have filed lawsuits over alleged personal data exposure, Business Insider reports.
Before the breach, Mercor was reportedly on pace to hit over $1 billion in annualized revenue, according to The Information. If major clients start pulling out, that trajectory changes dramatically.
The Delve Connection
One lawsuit reviewed by TechCrunch names not just Mercor but also LiteLLM and Delve, an AI compliance startup. The thread connecting them: LiteLLM used Delve to obtain its security certifications. Delve has been accused by a whistleblower of allegedly faking data for those certifications and using rubber-stamping auditors. Y Combinator has already severed ties with Delve over the allegations.
Mercor itself was not a Delve customer, the company confirmed. But the lawsuit argues there’s a chain of responsibility worth pursuing. Whether courts agree is another matter entirely.
LiteLLM has since dropped Delve, switched to a new compliance provider, and published a full incident report.
Why This Matters
This situation highlights a critical vulnerability in the AI supply chain. Mercor didn’t get hacked directly. It got hacked because an open source dependency got compromised for less than an hour. That’s all it took.
For AI companies handling training data for the biggest model makers in the world, the security bar just got raised significantly. If a $10 billion company can lose Meta as a client over a third-party tool compromise, every AI data vendor should be auditing their dependency chains right now.
Mercor has said only that it’s investigating and “will continue to communicate with our customers and contractors directly as appropriate.” For a company that was riding high six months ago, the next few weeks will determine whether this is a recoverable stumble or something much worse.
More details are available in TechCrunch AI’s full reporting.