$10B Startup Mercor Faces Disaster After Shocking Data Breach—Is Your Info at Risk?

Six months ago, Mercor was soaring high after securing a hefty $350 million Series C round, valuing the AI data training startup at $10 billion. However, the company’s fortunes took a turn for the worse when it disclosed on March 31 that it had fallen victim to a data breach.

In the wake of the breach, a hacker group has asserted that it obtained 4TB of sensitive data from Mercor's systems, including candidate profiles, personally identifiable information, employer data, source code, and API keys. Despite the gravity of the situation, Mercor has not confirmed the authenticity of the leaked data, stating only that it is investigating and will engage with customers and contractors as necessary.

The breach is reportedly linked to a vulnerability within the open source tool LiteLLM, which is known for its popularity, being downloaded millions of times daily. For a brief period of 40 minutes, the tool was compromised by credential harvesting malware—rogue software designed to swipe login credentials. This breach led to further access to various software and accounts, enabling the theft of additional credentials, perpetuating a cycle of vulnerability.

While Mercor has not publicly clarified the extent of the data compromised, the consequences have been significant. Reports indicate that Meta has indefinitely paused its contracts with Mercor, a decision that underscores the severity of the breach. Mercor refused to comment on this development when approached by TechCrunch.

Mercor, like other AI data training companies, deals with crucial elements of model makers' operations, including the custom datasets and processes that are essential for training AI models. Interestingly, even after Meta invested $14.3 billion in Mercor's competitor, Scale AI, it continued its relationship with Mercor, highlighting the strategic importance of the company.

In a potentially positive sign for Mercor, OpenAI confirmed to Wired that it is investigating its potential exposure resulting from the breach, although it has not yet paused or terminated its contracts with Mercor. However, sources indicate that other major model makers are reevaluating their relationships with Mercor in light of the incident, although specific details have yet to be verified.

In another development, five of Mercor's contractors have initiated lawsuits, as reported by Business Insider, claiming exposure of their personal data. The implications of these lawsuits remain uncertain—whether they pose a serious legal threat to Mercor or if they are merely opportunistic remains to be seen. Mercor has not commented on these legal actions.

One particularly notable lawsuit has named both LiteLLM and another AI compliance startup, Delve, as defendants. The connection appears to stem from accusations against Delve by an anonymous whistleblower, alleging that the company falsified data for security certifications and relied on rubber-stamping auditors. While security certifications are crucial for minimizing risks, they do not guarantee protection against all types of cyberattacks.

Delve has denied these allegations but has experienced significant fallout, leading to Y Combinator severing ties with the company. In response to the breach, LiteLLM has since switched to a new AI compliance partner for its security certifications and released a comprehensive report detailing the security incident.

Interestingly, Mercor has clarified that it was not a customer of Delve. Nevertheless, if the repercussions of this breach continue to unfold negatively, Mercor could face substantial financial losses. Earlier this year, before the data leak, the company was reportedly on track to achieve over $1 billion in annualized revenue, according to an anonymous source quoted by The Information.

The events surrounding Mercor illustrate a broader narrative of challenges facing companies in the AI sector, especially those that deal with sensitive data. As the landscape of cybersecurity continues to evolve, the repercussions from this data breach may resonate far beyond Mercor, serving as a cautionary tale for others in the industry about the importance of robust security measures in an increasingly digital world.