Six months ago, Mercor was flying high after raising a massive $350 million Series C that valued the AI data training startup at $10 billion. But after admitting on March 31 that it was the target of a data breach, the company has been facing a world of trouble.

Since then, a hacker group has claimed to have obtained 4TB of stolen data from Mercor’s systems, including candidate profiles, personally identifiable information, employer data, source code, and API keys. Mercor has not commented on the authenticity of the data, reiterating only that it is investigating and “will continue to communicate with our customers and contractors directly as appropriate and devote the resources necessary to resolving the matter as soon as possible.”

Mercor said its data breach was the result of a hack of the open source tool LiteLLM. This tool is so popular that it’s downloaded millions of times a day. For 40 minutes, the tool harbored credential harvesting malware — rogue software that could steal login credentials. Those credentials were used to gain access to more software and accounts, which it used to harvest more credentials, and so on.

While there have been no formal acknowledgments of how much data was scooped up from Mercor, there have been repercussions all the same. Meta has paused its contracts with Mercor indefinitely, sources told Wired. (Mercor declined to comment to TechCrunch about this.)

Like other contract AI data training companies, Mercor handles some of the model makers’ biggest trade secrets: the custom data sets and processes they use to teach their models. This is so important to them that even after Meta spent $14.3 billion on Mercor’s competitor Scale AI, it continued working with Mercor.

In a spot of good news for Mercor (maybe…we’ll see): OpenAI also confirmed to Wired that it was investigating its exposure in Mercor’s breach, but said it had not paused or ended its contracts at the time. However, TechCrunch has heard from multiple sources that other large model makers may also be weighing their relationships with Mercor after the breach, although we have not confirmed enough details to name names as of yet.

In the meantime, five of Mercor’s contractors have filed lawsuits, Business Insider reports, over their alleged personal data exposure. Whether these suits represent a serious threat or are just opportunistic and a nuisance remains to be seen. (Mercor declined to comment.)

Techcrunch event

This Week Only: Save up to $500 for Disrupt 2026

Offer ends April 10, 11:59 p.m. PT

Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to secure these savings.

This Week Only: Save up to $500 for Disrupt 2026

Offer ends April 10, 11:59 p.m. PT

San Francisco, CA

October 13-15, 2026

One lawsuit, reviewed by TechCrunch, even named LiteLLM and Delve as defendants. This is wild, and perhaps a stretch, but here’s the connection: LiteLLM used AI compliance startup Delve to obtain its security certifications. Delve has been accused by an anonymous whistleblower of allegedly faking data for security certifications and using rubber-stamping auditors.

A security certification does not directly prevent hackers from launching successful attacks, but it is intended to ensure that companies have processes in place to minimize such threats.

Although Delve has denied those allegations while simultaneously instituting operational changes, it has been in a world of hurt of its own, to the point where Y Combinator severed ties with the company.

LiteLLM ditched Delve and is now working with another AI compliance startup to obtain its security certifications again. LiteLLM also published a complete report on the security incident.

But Mercor itself was not a Delve customer, the company confirmed to TechCrunch. If, however, the fallout for Mercor continues, a lot of revenue could be at stake. The company was reportedly on pace to hit over $1 billion in annualized revenue earlier this year before the data leak, an anonymous source told The Information.

Topics

AI, Delve, LiteLLM, Mercor, Startups, TC

Julie Bort

Venture Editor

Julie Bort is the Startups/Venture Desk editor for TechCrunch.

You can contact or verify outreach from Julie by emailing julie.bort@techcrunch.com or via @Julie188 on X.

View Bio

April 30

San Francisco, CA

StrictlyVC kicks off the year in SF. Get in the room for unfiltered fireside cha

After data breach, $10B-valued startup Mercor is having a month