Mercor, a three year old startup valued at 10 billion dollars that supplies training data to major artificial intelligence companies, confirmed in April 2026 that it was the victim of a security breach that may have exposed sensitive company and user data. The firm recruits experts across fields including medicine, law, and literature to help improve the capabilities of AI models, and its customer roster includes Anthropic, OpenAI, and Meta.
The company said the incident was linked to a supply chain attack involving LiteLLM, a widely used open source library that connects applications to AI services. Because the affected component is common across AI development workflows, the breach drew attention to how dependencies in the AI tooling stack can become a single point of failure.
Mercor handles detailed records tied to the contractors and experts it engages, which raised concern about the categories of personal and professional information potentially involved. The company began notifying affected parties and reviewing the scope of the exposure following the disclosure.
The breach was one of several 2026 incidents that traced back to AI related software and services rather than a company's own core systems. Security researchers have noted that the rapid adoption of AI libraries, connectors, and hosted services has expanded the attack surface for the firms that build and train models. The Mercor case illustrates the downstream risk created when widely shared open source components are compromised.
Source: Fortune - https://fortune.com/2026/04/02/mercor-ai-startup-security-incident-10-billion/