Mercor’s $10B valuation at risk after data breach
▼ Summary
– Mercor, an AI data training startup, disclosed a major data breach on March 31, six months after a funding round valued it at $10 billion.
– A hacker group claims to have stolen 4TB of data, including candidate profiles, source code, and API keys, though Mercor has not verified this.
– The breach originated from credential-harvesting malware in the popular open-source tool LiteLLM, which was compromised for 40 minutes.
– Major clients like Meta have paused contracts indefinitely, and other large AI model makers may be reconsidering their relationships with Mercor.
– The breach has led to lawsuits from contractors over exposed personal data and has put significant potential revenue at risk for the company.
Just six months after a landmark funding round valued the AI data training firm at $10 billion, Mercor is confronting a severe crisis. The company’s admission of a significant data breach on March 31 has triggered a cascade of operational and legal challenges, putting its hard-won market position and valuation in jeopardy. A hacker group claims to have exfiltrated 4TB of sensitive information, including candidate profiles, personally identifiable information, proprietary source code, and critical API keys. While Mercor has not verified the stolen data’s authenticity, it maintains that an investigation is ongoing and that it is dedicating resources to resolve the situation.
The breach originated from a compromise of the widely-used open source tool LiteLLM. For a critical 40-minute window, a version of the tool contained credential harvesting malware, which was used to steal login details. Those credentials then provided a foothold to access additional systems in a chain reaction, ultimately leading to the massive data theft. The incident’s fallout has been immediate and severe. Meta has paused its contracts with Mercor indefinitely, a significant blow given the sensitive nature of the work. AI model makers like Mercor handle custom data sets and proprietary training processes, which are among the industry’s most guarded secrets. This trust is so vital that Meta continued its relationship with Mercor even after making a multi-billion dollar investment in rival Scale AI.
Other major clients are now scrutinizing their exposure. OpenAI confirmed it is investigating but has not yet suspended its contracts. However, multiple industry sources indicate other large model makers are reevaluating their partnerships with Mercor in the breach’s wake. The financial stakes are enormous. Before the incident, an anonymous source indicated Mercor was on track to surpass $1 billion in annualized revenue this year. That trajectory is now under threat.
The legal repercussions are mounting as well. Five contractors have filed lawsuits against Mercor over their alleged personal data exposure, according to reports. One reviewed lawsuit takes an unusual legal approach, naming not only Mercor but also LiteLLM and the compliance startup Delve as defendants. The connection stems from LiteLLM’s use of Delve to obtain security certifications. Delve has faced anonymous whistleblower allegations of faking data for certifications and using compliant auditors, claims the company denies. Although Mercor was not a Delve client, the association highlights the complex web of accountability. The controversy has been damaging enough for Y Combinator to sever ties with Delve.
In response, LiteLLM has switched compliance partners and published a full report on the security incident. For Mercor, the path forward is fraught. The company must manage the ongoing investigation, repair critical client relationships, and defend against litigation, all while the shadow of the breach threatens its once-soaring valuation. The coming months will test whether this AI unicorn can recover from a crisis that has exposed the profound vulnerabilities in a sector built on trust and secrecy.
(Source: TechCrunch)
