
Mercor, an AI training data platform that connects frontier AI labs with domain experts for model training, confirmed it was affected by a cyberattack tied to a compromise of the open-source project LiteLLM. So far, 2,025 Texas residents, 778 Massachusetts residents and 35 Vermont residents were impacted.
Mercor confirmed the security incident in a statement to TechCrunch, which reported on the breach on March 31, 2026. The company also released a statement on X, formerly Twitter, acknowledging the breach.
The breach was allegedly connected to a supply chain attack involving LiteLLM, a Y Combinator-backed open-source project used widely across the internet. According to TechCrunch, malicious code was discovered in a package associated with LiteLLM's project. The compromise was linked to a hacking group called TeamPCP.
The malicious code was identified and removed within hours. Mercor told TechCrunch it was "one of thousands of companies" affected by the LiteLLM compromise.
Notably, the extortion hacking group Lapsus$ claimed responsibility for targeting Mercor. On March 30, 2026, the group posted on Telegram alleging it was selling Mercor's data. The posting claimed the stolen material totaled four terabytes and included databases, source code and customer and employee data.
The specific types of personal information that may have been exposed include names, Social Security numbers, government-issued ID numbers including driver's licenses, passports and state ID cards, addresses and dates of birth. Based on the claims made by Lapsus$, the compromised material could include both customer and employee data.
On June 25, 2026, the incident was formally disclosed to the California Attorney General. The unauthorized access occurred between March 24, 2026, through March 30, 2026.
Mercor spokesperson Heidi Hagberg confirmed to TechCrunch that the company took action to contain and remediate the security incident. Hagberg declined to answer follow-up questions about whether the incident was connected to claims made by Lapsus$, according to TechCrunch.
At this time, Mercor is offering impacted individuals 24-months of complimentary credit monitoring and identity restoration services through TransUnion. Individuals must enroll by October 1, 2026, to receive the services.
Mercor has established a dedicated call center to answer questions about the cybersecurity event and to provide assistance with the TransUnion services. Individuals may reach the call center at 1-844-507-8047, from 8 a.m. to 8 p.m. ET Monday through Friday, excluding major U.S. holidays








.webp)
.webp)
.webp)

.webp)
.webp)
.webp)
.webp)