Mercor data breach fallout: Meta pauses contracts, lawsuits filed as $10B AI startup reels

San Francisco – Mercor, an AI data training startup valued at $10 billion, is confronting severe operational and reputational damage following a major data breach disclosed on 31 March. The incident, which the company attributes to a compromised open-source tool, has led key client Meta to indefinitely pause its contracts and sparked multiple lawsuits from affected contractors.

The hacker group behind the attack claims to have exfiltrated 4 terabytes of data, including candidate profiles, personally identifiable information, employer data, proprietary source code, and API keys. Mercor has stated it is investigating the breach's scope but has not verified the authenticity of the stolen data cache.

Credential Harvesting Attack Vector

The breach originated from the popular open-source tool LiteLLM, which was compromised by credential-harvesting malware for a 40-minute period. "Those credentials were used to gain access to more software and accounts, which it used to harvest more credentials, and so on," a source familiar with the investigation explained. LiteLLM, downloaded millions of times daily, has since published a full report on the security incident.

Mercor's role involves handling highly sensitive, custom datasets for large AI model makers, making the breach particularly damaging. This proprietary data is considered a core trade secret for clients like Meta and OpenAI.

Client Relationships Under Strain

The breach's repercussions are escalating. Meta has paused its contracts with Mercor indefinitely, according to sources speaking to Wired. This is significant given that Meta continued working with Mercor even after investing $14.3 billion in its competitor, Scale AI.

OpenAI confirmed to Wired it is investigating its potential exposure but, at the time of reporting, had not paused its contracts. However, TechCrunch has learned from multiple sources that other large AI model makers are reassessing their relationships with Mercor in the breach's wake.

Legal and Financial Fallout

Five contractors have filed lawsuits against Mercor, as reported by Business Insider, alleging their personal data was exposed. One lawsuit, reviewed by TechCrunch, also names LiteLLM and AI compliance startup Delve as defendants, creating a complex legal web.

The connection stems from LiteLLM using Delve to obtain security certifications prior to the incident. Delve has faced separate allegations from an anonymous whistleblower of falsifying data for certifications, which it denies. The controversy led startup accelerator Y Combinator to sever ties with Delve.

Mercor confirmed to TechCrunch it was not a Delve customer. Financially, the stakes are high: an anonymous source told The Information that Mercor was on track to surpass $1 billion in annualised revenue earlier this year before the data leak.

Broader Security Implications

The incident highlights critical vulnerabilities in the AI supply chain, where a breach at a single contractor can compromise the intellectual property of multiple industry giants. Security certifications, like those Delve provided, are intended to ensure robust threat mitigation processes but do not guarantee immunity from attacks.

Mercor has stated it "will continue to communicate with our customers and contractors directly as appropriate and devote the resources necessary to resolving the matter as soon as possible." The company's ability to retain client trust and contain the legal and financial damage will determine its trajectory following its $350 million Series C funding round just six months ago.