Mercor, an AI data training startup valued at $10 billion after raising a $350 million Series C six months ago, is confronting mounting challenges after disclosing on March 31 that it had been targeted in a data breach. The incident has raised concerns across the artificial intelligence industry, prompting investigations, legal actions, and scrutiny from major partners.
Hackers Claim Access To Sensitive Data
Following the disclosure, a hacker group claimed to have obtained 4TB of data from Mercor’s systems. The allegedly stolen information includes candidate profiles, personally identifiable information, employer data, source code, and API keys.
Mercor has not confirmed the authenticity of the claims. The company stated it is investigating the incident and “will continue to communicate with our customers and contractors directly as appropriate and devote the resources necessary to resolving the matter as soon as possible.”
Breach Linked To Compromised Open Source Tool
Mercor attributed the breach to a hack involving LiteLLM, a widely used open source tool downloaded millions of times daily. According to the company, credential-harvesting malware was embedded in the tool for approximately 40 minutes.
The rogue software enabled attackers to steal login credentials, which were then used to access additional systems and accounts, enabling further credential harvesting and data exposure.
Industry Partners Assess Exposure And Risk
The repercussions have extended to Mercor’s business relationships. According to Wired, Meta has indefinitely paused its contracts with Mercor. The company declined to comment on the matter when contacted by TechCrunch.
Contract AI data training firms such as Mercor handle sensitive proprietary datasets and processes used to train artificial intelligence models. These assets are considered critical to model developers, underscoring the significance of potential security breaches. Meta previously maintained its partnership with Mercor even after investing $14.3 billion in its competitor, Scale AI.
OpenAI confirmed to Wired that it is investigating its potential exposure but stated it had not paused or terminated its contracts with Mercor at the time. TechCrunch reported that other major AI model developers may also be evaluating their relationships with the company, though details have not been publicly confirmed.
Lawsuits Filed Over Alleged Data Exposure
The breach has also led to legal action. Business Insider reported that five Mercor contractors have filed lawsuits alleging exposure of their personal data. Mercor declined to comment on the cases.
One lawsuit reviewed by TechCrunch names LiteLLM and AI compliance startup Delve as defendants. LiteLLM had used Delve to obtain security certifications. An anonymous whistleblower has accused Delve of falsifying data for these certifications and relying on auditors who allegedly approved them without sufficient scrutiny.
Security certifications are intended to verify that organizations implement safeguards to mitigate threats, though they do not guarantee immunity from cyberattacks.
Delve Faces Scrutiny Amid Certification Allegations
Delve has denied the allegations while implementing operational changes. The company has also faced its own challenges, including Y Combinator severing ties with the startup.
In response to the incident, LiteLLM discontinued its relationship with Delve and partnered with another AI compliance firm to secure new certifications. LiteLLM also released a comprehensive report detailing the security breach.
Mercor confirmed to TechCrunch that it was not a customer of Delve.
Revenue And Growth Prospects Under Pressure
Despite the controversy, Mercor had been experiencing rapid financial growth. An anonymous source told The Information that the company was on pace to surpass $1 billion in annualized revenue earlier this year before the breach occurred.
As investigations continue and partners evaluate their positions, the incident highlights the potential business risks associated with security vulnerabilities in widely used software tools.
Featured image credits: MedSafe
For more stories like it, click the +Follow button at the top of this page to follow us.