After data breach, $10B-valued startup Mercor is having a month

Mercor, an AI data training startup valued at $10 billion after a $350M Series C, is facing severe fallout from a major data breach. The incident, disclosed on March 31, originated from a 40-minute window where the widely-used open-source tool LiteLLM was compromised with credential-harvesting malware. Hackers claim to have exfiltrated 4TB of sensitive data, including candidate and employer personally identifiable information (PII), source code, API keys, and—most critically—the proprietary datasets and processes used by Mercor's clients to train their AI models.

The breach has triggered immediate and significant consequences. Meta has indefinitely paused its contracts with Mercor, a major blow given the company's importance in handling core AI trade secrets. OpenAI confirmed it is investigating its exposure, and other large model makers are reportedly weighing their relationships. Five contractors have filed lawsuits over alleged personal data exposure. The legal fallout extends to LiteLLM and its former compliance auditor, Delve, which is accused of faking security certification data. While Mercor was not a Delve client, the incident's chain of failures highlights systemic risks in the AI supply chain.

For Mercor, the stakes are enormous. The company was reportedly on pace for over $1 billion in annualized revenue before the breach. The loss of trust from cornerstone clients like Meta, coupled with legal liabilities and reputational damage, threatens its core business model of handling sensitive AI training data. The situation underscores the extreme vulnerability of AI infrastructure companies that act as custodians for the industry's most valuable intellectual property.