Six months ago, Mercor was thriving after raising $350 million in Series C funding, valuing the AI data training startup at $10 billion. However, after admitting to a data breach on March 31, the company is now facing significant challenges.
A hacker group claims to have stolen 4TB of data from Mercor’s systems, which includes candidate profiles, personally identifiable information, employer data, source code, and API keys. Mercor has not confirmed the data’s authenticity but stated it is investigating and will communicate with customers and contractors as needed.
The breach resulted from a hack of LiteLLM, an open-source tool popular for AI. For 40 minutes, it hosted malware that harvested credentials, allowing further access and data collection.
No formal acknowledgment has been made about the extent of Mercor’s data loss. Nonetheless, Meta has indefinitely paused its contracts with Mercor, though Mercor did not comment on this to TechCrunch.
Mercor handles crucial AI data training for its clients, including custom data sets and processes. Despite Meta investing $14.3 billion in a competitor, Scale AI, it kept collaborating with Mercor.
OpenAI confirmed it is investigating its exposure due to Mercor’s breach but has not paused contracts. However, other large model makers might reconsider their partnerships with Mercor, although details remain unconfirmed.
Meanwhile, five of Mercor’s contractors filed lawsuits over alleged personal data exposure, as reported by Business Insider. It remains unclear if these suits pose a serious threat or are opportunistic. Mercor declined to comment.
One lawsuit includes LiteLLM and Delve as defendants. LiteLLM used Delve, an AI compliance startup, for security certifications. Delve is accused by a whistleblower of faking data for security certifications and using inadequate auditors.
A security certification aims to ensure companies can minimize threats, though it doesn’t prevent attacks. Delve has denied the accusations but is struggling, leading to Y Combinator ending their association.
LiteLLM severed ties with Delve and now uses another compliance startup for security certifications. It also published a detailed report on the incident.
Mercor confirmed it wasn’t a Delve customer. If the fallout continues, significant revenue could be lost; the company was expected to exceed $1 billion in annualized revenue earlier this year before the data breach, according to an anonymous source.