After a data breach, $10 billion startup Mercor has a month to go

Six months ago, Mercor was flying high after raising a massive $350 million Series C that valued the AI ​​data training startup at $10 billion. But after admitting on March 31 that it was the target of a data breach, the company is in a world of trouble.

Since then, a group of hackers has claimed to have had 4 terabytes of data stolen from Mercor’s systems, including candidate profiles, personally identifiable information, employer data, source code, and API keys. Mercur did not comment on the authenticity of the data, confirming only that it is investigating the matter and “will continue to communicate with our customers and contractors directly as appropriate and allocate the necessary resources to resolve the problem as soon as possible.”

Mercor said its data breach was the result of a hack of the open source tool LiteLLM. This tool is so popular that it is downloaded millions of times daily. For 40 minutes, the tool contained credential harvesting malware, which is rogue software that can steal login credentials. These credentials were used to access more programs and accounts, which I used to harvest more credentials, and so on.

While there has been no official acknowledgment of the amount of data collected by Merkur, there have been repercussions nonetheless. Meta has paused its contracts with Mercor indefinitely, sources told Wired. (Merkur declined to comment to TechCrunch on this matter.)

Like other contract AI data training companies, Mercor handles some of model makers’ biggest trade secrets: custom datasets and the processes they use to teach their models. This is so important to them that even after Meta spent $14.3 billion on Mercor’s competitor Scale AI, it continued to work with Mercor.

In some good news for Mercor (maybe… we’ll see): OpenAI also confirmed to Wired that it was investigating Mercor’s breach, but said it was not pausing or terminating its contracts at the time. However, TechCrunch has heard from multiple sources that other large model makers may also be considering their relationships with Mercor following the hack, though we haven’t confirmed enough details to name names yet.

Meanwhile, five Mercur contractors have filed lawsuits, Business Insider reports, over their alleged exposure of personal data. It remains to be seen whether these lawsuits represent a serious threat or are merely opportunistic and annoying. (Mercur declined to comment.)

One lawsuit, reviewed by TechCrunch, even named LiteLLM and Delv as defendants. This is wild, and perhaps a stretch, but here’s the connection: LiteLLM used AI compliance startup Delve to obtain its security certifications. A whistleblower accused Delve of falsifying data for security certificates and using rubber-checkers.

A security certificate does not directly prevent hackers from launching successful attacks, but its purpose is to ensure that companies have processes in place to mitigate such threats.

Although Delve has denied the allegations while simultaneously making operational changes, it was in a world of hurt of its own, so much so that Y Combinator cut ties with the company.

LiteLLM has abandoned Delve and is now working with another AI startup to get its security certifications again. LiteLLM also published a full report on the security incident.

But Mercor itself was not a Delve customer, the company confirmed to TechCrunch. However, if the fallout continues for Mercur, a lot of revenue could be at stake. The company was reportedly on track to achieve annual revenues of more than $1 billion earlier this year before the data leak, an anonymous source told The Information.