Mercor Data Breach: Social Security Numbers Compromised

Published
April 1, 2026
Updated
June 30, 2026
Mercor Data Breach: Social Security Numbers Compromised
Mercor

Mercor, an AI training data platform that connects frontier AI labs with domain experts for model training, confirmed it was affected by a cyberattack tied to a compromise of the open-source project LiteLLM. So far, 2,025 Texas residents, 778 Massachusetts residents and 35 Vermont residents were impacted.

Mercor confirmed the security incident in a statement to TechCrunch, which reported on the breach on March 31, 2026. The company also released a statement on X, formerly Twitter, acknowledging the breach.

The breach was allegedly connected to a supply chain attack involving LiteLLM, a Y Combinator-backed open-source project used widely across the internet. According to TechCrunch, malicious code was discovered in a package associated with LiteLLM's project. The compromise was linked to a hacking group called TeamPCP.

The malicious code was identified and removed within hours. Mercor told TechCrunch it was "one of thousands of companies" affected by the LiteLLM compromise.

Notably, the extortion hacking group Lapsus$ claimed responsibility for targeting Mercor. On March 30, 2026, the group posted on Telegram alleging it was selling Mercor's data. The posting claimed the stolen material totaled four terabytes and included databases, source code and customer and employee data.

The specific types of personal information that may have been exposed include names, Social Security numbers, government-issued ID numbers including driver's licenses, passports and state ID cards, addresses and dates of birth. Based on the claims made by Lapsus$, the compromised material could include both customer and employee data.

On June 25, 2026, the incident was formally disclosed to the California Attorney General. The unauthorized access occurred between March 24, 2026, through March 30, 2026.

Mercor's response to the breach

Mercor spokesperson Heidi Hagberg confirmed to TechCrunch that the company took action to contain and remediate the security incident. Hagberg declined to answer follow-up questions about whether the incident was connected to claims made by Lapsus$, according to TechCrunch.

At this time, Mercor is offering impacted individuals 24-months of complimentary credit monitoring and identity restoration services through TransUnion. Individuals must enroll by October 1, 2026, to receive the services.

Mercor has established a dedicated call center to answer questions about the cybersecurity event and to provide assistance with the TransUnion services. Individuals may reach the call center at 1-844-507-8047, from 8 a.m. to 8 p.m. ET Monday through Friday, excluding major U.S. holidays

Types of INFORMATION affected
  • Names
    Names
  • Social security numbers
    Social Security Numbers
  • Dates of birth
    Dates of Birth
  • Addresses
    Addresses
  • Government IDs
    Government IDs
  • Medical Information
    Medical Info
  • Financial Info
    Financial Info
  • Affected information types not yet disclosed

Notice Letter

This browser does not support inline PDFs. Please download the PDF to view it: Download PDF

Affected Entity
Mercor
Consumers Notification date
June 25, 2026
Date of Breach
March 24, 2026 - March 30, 2026
Breach Discovered Date
Total People Affected
Information Types Exposed
  • Drivers Licenses
  • Government ID Numbers
  • Name of individual
  • Address
  • Social Security Number Information
  • Driver’s License number
  • Government-issued ID number (e.g. passport)
  • Date of Birth
  • Social Security Numbers
CTA Image
CTA Image
CTA Image
CTA Image
CTA Image
CTA Image
CTA Image
CTA Image
CTA Image