Mercor, a startup valued at roughly $10 billion that supplies training data to major artificial intelligence companies, confirmed it was the victim of a cybersecurity breach that may have exposed sensitive company and user data. Mercor's customers include Anthropic, OpenAI, and Meta, placing the incident at the center of the AI supply chain.
The company tied the breach to a supply-chain attack involving LiteLLM, a widely used open-source library that connects applications to AI services. Investigators have linked the activity to a hacking group identified as TeamPCP. Because LiteLLM is embedded across many AI applications, a compromise at that layer can reach data flowing through numerous downstream systems.
Mercor's role makes the exposure notable. The company provides the human-labeled and curated data that AI developers use to train and refine models, work that involves handling proprietary material from its clients. A breach at a data vendor of that kind raises questions about how sensitive information is protected as it passes between contractors and the AI firms they serve.
The incident sits within a broader pattern of breaches striking AI infrastructure and third-party software dependencies. Cloud hosting company Vercel separately disclosed that hackers accessed customer data through a breach originating at another software maker, Context AI, and contacted affected customers whose app data and keys were compromised.
Mercor said it is investigating the scope of the exposure and notifying affected parties. The company has not detailed the full extent of the data accessed. The breach underscores how dependencies on shared open-source components can carry risk across the AI industry.
Source: Fortune - https://fortune.com/2026/04/02/mercor-ai-startup-security-incident-10-billion/