Six months ago, Mercor was flying high after raising a whopping $350 million Series C that valued the AI data training startup at $10 billion. However, the company has faced challenges since admitting on March 31st that it had been the target of a data breach.
The hacker group has since claimed to have obtained 4TB of stolen data from Mercor’s systems, including candidate profiles, personally identifiable information, employer data, source code, and API keys. Melco did not comment on the reliability of the data, only reiterating that it was investigating and “will continue to communicate directly with customers and contractors as necessary and will commit the necessary resources to resolve the issue as quickly as possible.”
Melkor said the data breach was the result of a hack of the open source tool LiteLLM. This tool is so popular that it is downloaded millions of times a day. The tool harbored credential harvesting malware (malicious software that can steal login credentials) for 40 minutes. These credentials were used to gain access to more software and accounts, and were used to collect even more credentials.
While it has not been officially acknowledged how much data was scooped from Melkor, the impact is still there. Meta has indefinitely suspended its contract with Melkor, sources told Wired. (Mercor declined to comment to TechCrunch on this.)
Like other AI data training contract companies, Mercor plays with some of model makers’ biggest trade secrets: the custom data sets and processes they use to teach their models. This is so important to them that Meta continued to work with Mercor even after spending $14.3 billion on Mercor’s competitor, Scale AI.
A spot of good news for Melkor (perhaps…we’ll see): OpenAI also confirmed to Wired that it was investigating Melkor’s breach revelations, but said it had not suspended or terminated any contracts at that time. However, TechCrunch has heard from multiple sources that other major model manufacturers may also be considering relationships with Mercor in the wake of the breach, but no details have been confirmed to name them at this time.
Meanwhile, five of Mercor’s contractors have filed lawsuits over alleged personal data breaches, Business Insider reports. It remains to be seen whether these lawsuits represent a serious threat or just an opportunistic nuisance. (Melkor declined to comment.)
tech crunch event
San Francisco, California
|
October 13-15, 2026
One lawsuit reviewed by TechCrunch also names LiteLLM and Delve as defendants. This is wild and probably an overstatement, but the relevance is this: LiteLLM used AI compliance startup Delve to obtain security certification. Delve has been accused by an anonymous whistleblower of falsifying data and using rubber-stamped auditors for security certifications.
Although security certifications do not directly thwart successful attacks by hackers, they are intended to ensure that companies have processes in place to minimize such threats.
Delve denied these allegations and simultaneously introduced operational changes, but by the time Y Combinator severed ties with the company, it found itself in a world of hurt.
LiteLLM has ditched Delve and is now working with another AI compliance startup to re-earn its security certification. LiteLLM also published a full report on the security incident.
But Mercor itself was not a Delve customer, the company confirmed to TechCrunch. But if the fallout from Melkor continues, significant profits could be at risk. Anonymous sources told The Information that the company was on track to exceed $1 billion in annual revenue earlier this year before the data breach.
