Mercor faces class action lawsuit after supply chain attack

Mercor class action alleges AI startup failed to protect data of more than 40,000 people

William C. Gendron

Editor in Chief

Published

April 3, 2026

Updated

April 3, 2026

LiteLLM supply chain attack

The cyberattack at the center of the lawsuit stems from what security professionals call a "supply chain attack." In this type of attack, hackers compromise a third-party software tool that other companies rely on, rather than targeting a victim directly. This approach allows criminals to reach many companies at once through a single point of entry.

According to the complaint, the attack entered Mercor's systems through LiteLLM, a widely used open-source software tool.

SecurityWeek reported that the LiteLLM incident occurred on March 27, 2026. Attackers used stolen developer credentials to publish two malicious versions of the LiteLLM software package. Those packages were available for download for roughly 40 minutes before being pulled, but they are believed to have been automatically downloaded by thousands of companies before the attack was detected.

After the attack became public, a hacking group the complaint identifies as "LAPSUS" claimed responsibility for the breach. The group is widely reported in the cybersecurity press as "Lapsus$" and is known for targeting high-profile technology companies through extortion.

According to the complaint, the group claimed to have exfiltrated four terabytes of data from Mercor's systems, which it listed for auction on the dark web.

‍

A screenshot of Mercor' data allegedly for sale on Telegram — Mercor data allegedly for sale on Telegram

The scale of the breach, as described in the complaint and confirmed in part by media reporting, was significant. It has been reported that the stolen cache allegedly included 939 gigabytes of platform source code, a 211-gigabyte user database and three terabytes of storage data said to contain video interviews and identity verification documents.

Mercor publicly confirmed the security incident, stating it was "one of thousands of companies" affected by the LiteLLM supply chain compromise. The company said its security team moved quickly to contain the breach and that it brought in third-party forensics experts to support a thorough investigation.

Allegations of cybersecurity failures

The complaint argues that the breach was preventable and that Mercor's cybersecurity practices fell well below what industry standards require.

Among the specific failures alleged, the complaint says Mercor did not implement multi-factor authentication, a security system that requires users to confirm their identity in more than one way before accessing a system. Without this protection, stolen login credentials alone can give attackers full access to a company's systems.

The lawsuit further alleges that Mercor failed to encrypt sensitive data, both when it was stored and when it was transmitted across its networks. Encryption is a process that scrambles data so that only authorized parties can read it. Without encryption, stolen data is immediately usable by attackers.

Additionally, the suit claims Mercor did not limit which employees or systems could access sensitive personal information, did not monitor its systems for unusual or suspicious activity and did not rotate passwords regularly to reduce the risk of attackers exploiting old or stolen credentials.

Extensive relief sought

The proposed class covers all U.S. residents whose personal information was accessed or acquired by unauthorized parties during the breach. The complaint estimates that more than 40,000 individuals fall into this group.

The personally identifiable information, commonly abbreviated as PII, at issue may include full names, Social Security numbers and other sensitive data belonging to current and former Mercor contract employees and customers. Social Security numbers are particularly valuable to criminals because they can be used to open fraudulent accounts, file false tax returns and steal a person's financial identity.

Gill describes in the complaint how the breach affected her personally. She says she spent significant time, sometimes hours per day, dealing with its consequences. That included researching the breach to understand what happened, sorting through a surge in spam and junk communications and reviewing her credit reports and financial accounts to check for signs of fraud.

Beyond the time she lost, she now faces, according to the complaint, an elevated risk of identity theft going forward.

For class members broadly, the complaint identifies a range of injuries. Those include invasion of privacy, the theft of personal information, the reduced value of that personal data now that it may be in the hands of criminals, lost time spent managing the fallout and a rise in unwanted spam communications.

The complaint also alleges loss of the benefit of the bargain, a legal concept referring to the idea that users gave their data to Mercor with a reasonable expectation of security that the company allegedly did not deliver.

The lawsuit asks the court to award compensatory damages to cover actual losses, as well as consequential, statutory, nominal and punitive damages.

Beyond financial compensation, the suit seeks extensive injunctive relief, meaning court orders requiring Mercor to make specific changes to its operations. Among the remedies requested, the complaint asks the court to order Mercor to overhaul its data security systems, build out a comprehensive information security program, provide credit monitoring services to affected individuals, submit to annual security audits and hire independent, third-party security auditors.

As of the time of publishing, at least three other class action lawsuits have been filed in federal court relating to the Mercor data beach.