After data breach, $10B-valued startup Mercor is having a month

Six months ago, Mercor was flying high after raising a massive $350 million Series C, valuing the AI ​​data training startup at $10 billion. But after the company admitted on March 31 that it was the target of a data breach, the company faced a world of problems.

Since then, a hacker group claims to have obtained 4TB of stolen data from Mercor’s systems, including candidate profiles, personally identifiable information, employer data, source code and API keys. Mercor has not commented on the authenticity of the data, only reiterating that it is investigating and “will continue to communicate directly with our customers and contractors as necessary and deploy the necessary resources to resolve the matter as quickly as possible.”

Mercor said the data breach resulted from a hack of the open source tool LiteLLM. This tool is so popular that it is downloaded millions of times a day. For forty minutes, the tool contained credential harvesting malware: rogue software that could steal login credentials. Those credentials were used to access more software and accounts, which it used to collect more credentials, and so on.

While there has been no formal acknowledgment of the amount of data extracted from Mercor, there have been repercussions. Meta has suspended its contracts with Mercor indefinitely, Sources report this to Wired. (Mercor declined to comment on this to TechCrunch.)

Like other contract AI data training companies, Mercor covers some of the model makers’ biggest trade secrets: the custom data sets and processes they use to teach their models. This is so important to them that even after Meta spent $14.3 billion on Mercor’s competitor Scale AI, it continued to work with Mercor.

Some good news for Mercor (maybe… we’ll see): OpenAI also confirmed to Wired that it was investigating Mercor’s breach exposure, but said it had not paused or terminated its contracts at that time. However, TechCrunch has heard from multiple sources that other major model makers may also be reconsidering their relationship with Mercor following the breach, although we haven’t confirmed enough details yet to name names.

In the meantime, five Mercor contractors have filed lawsuits. Business Insider reportsfor their alleged exposure to personal data. Whether these suits pose a serious threat or are merely opportunistic and a nuisance remains to be seen. (Mercor declined to comment.)

One lawsuit reviewed by TechCrunch even named LiteLLM and Delve as defendants. This is wild and perhaps challenging, but here’s the connection: LiteLLM used AI compliance startup Delve to obtain its security certifications. Delve has been accused by an anonymous whistleblower of falsifying safety certification data and using rubber-stamping auditors.

A security certification does not directly prevent hackers from launching successful attacks, but is intended to ensure that companies have processes in place to minimize such threats.

Although Delve has denied these allegations while making operational changes, the company is in a world of pain of its own, to the point where Y Combinator has cut ties with the company.

LiteLLM ditched Delve and is now working with another AI compliance startup to reacquire its security certifications. LiteLLM also published a full report about the security incident.

But Mercor itself was not a Delve customer, the company confirmed to TechCrunch. However, if the fallout for Mercor continues, a lot of revenue could be at stake. The company was reportedly on track to exceed $1 billion in revenue earlier this year before the data breach anonymous source told The Information.