Mercor Data Breach: Contractors Affected

Mercor, an AI training data platform that connects frontier AI labs with domain experts for model training, confirmed it was affected by a cyberattack tied to a compromise of the open-source project LiteLLM.

Mercor confirmed the security incident in a statement to TechCrunch, which reported on the breach on March 31, 2026. The company also released a statement on X, formerly Twitter, acknowledging the breach.

The total number of individuals affected has not been publicly disclosed.

What happened in the Mercor data breach

The breach was allegedly connected to a supply chain attack involving LiteLLM, a Y Combinator-backed open-source project used widely across the internet.

According to TechCrunch, malicious code was discovered in a package associated with LiteLLM's project. The compromise was linked to a hacking group called TeamPCP.

The malicious code was identified and removed within hours. Mercor told TechCrunch it was "one of thousands of companies" affected by the LiteLLM compromise.

The incident prompted LiteLLM to make changes to its compliance processes, including shifting from the startup Delve to Vanta for compliance certifications, according to TechCrunch.

Notably, the extortion hacking group Lapsus$ claimed responsibility for targeting Mercor.

On March 30, 2026, the group posted on Telegram alleging it was selling Mercor's data. The posting claimed the stolen material totaled four terabytes and included databases, source code and customer and employee data.

The specific types of personal information that may have been exposed have not been publicly detailed by Mercor. Based on the claims made by Lapsus$, the compromised material could include both customer and employee data, though the company has not confirmed what categories of personal data were involved.

Mercor's response to the breach

Mercor spokesperson Heidi Hagberg confirmed to TechCrunch that the company took action to contain and remediate the security incident.

Hagberg declined to answer follow-up questions about whether the incident was connected to claims made by Lapsus$, according to TechCrunch. She also declined to say whether any customer or contractor data had been accessed, exfiltrated or misused.

Mercor stated it would communicate with its customers and contractors directly as the investigation progresses.

Steps to take if your information was exposed

• Review your financial accounts regularly for unauthorized transactions, especially if you shared banking or payment information with Mercor as a contractor or customer.
• Change your passwords on any accounts associated with Mercor or that share the same login credentials, and enable two-factor authentication where available.
• Request your free credit reports at AnnualCreditReport.com and check for unfamiliar accounts or inquiries that you did not authorize.
• Consider placing a fraud alert or credit freeze with Equifax (1-800-525-6285), Experian (1-888-397-3742) and TransUnion (1-800-680-7289) to help guard against identity theft.
• Be cautious of phishing attempts that reference Mercor, LiteLLM or this breach by name, as attackers may use the situation to trick people into sharing personal information through fake emails or messages.