🔐 Cybersecurity · AI Supply Chain

How Mercor Lost 4TB of Biometrics, Then Waited 3 Months

A 40-minute open-source hack detonated inside a $10B AI recruiting startup, and contractors only found out this summer.

Mercor’s supply chain nightmare started on March 27 with a poisoned Python package that was live for less than an hour. It ended in June with Meta pulling contracts indefinitely, Lapsus$ auctioning passport scans, and roughly 40,000 experts receiving a “your data was downloaded” email from a subdomain most of them had never seen. Here’s the full timeline, what the hackers actually got, why the three-month gap between the initial disclosure and mass notification matters legally, and what this breach reveals about how fragile the AI stack of 2026 has quietly become.

📅 Updated July 2026 ⏱ 8 min read
Mercor 4TB Breach — The 5 Numbers That Matter 01 40 min window 02 4TB stolen 03 $10B valuation 04 Meta paused 05 3-month wait

On March 27, 2026, two versions of an open-source Python library called LiteLLM went live on the PyPI package registry for roughly forty minutes before anyone noticed they were poisoned. Versions 1.82.7 and 1.82.8 contained credential-harvesting malware. During those forty minutes, developers around the world ran their usual dependency updates, and one of them worked inside Mercor, the AI recruiting startup that had been valued at $10 billion just five months earlier.

Between March 24 and March 30, the attackers moved through Mercor’s systems. On March 31, Mercor published a short statement acknowledging it was “one of thousands of companies impacted.” Days later, the Lapsus$ extortion group listed Mercor on its dark-web leak site, claiming to hold roughly 4 terabytes of stolen data, including candidate profiles, source code, API keys, TailScale VPN records, and full video interview archives.

Meta paused its Mercor contracts within days. Five contractors sued. And then, for about three months, individual experts on Mercor’s platform heard almost nothing about whether their passport scans, Social Security numbers, and facial biometrics had actually been taken. The notification wave finally arrived in early July.

📊 The Quick Truth
The breach

4TB reportedly stolen via LiteLLM

Lapsus$ listed Mercor on its leak site claiming 4TB of candidate profiles, PII, source code, API keys, VPN data, and interview recordings.

The disclosure

March 31 filing, July notices

Mercor confirmed a “supply chain incident” on March 31. Individual contractor breach notifications did not go out at scale until roughly three months later.

The catch

Passport scans and SSNs on the list

Independent reports and lawsuit filings cite passport scans, Social Security numbers, facial biometrics, and video interview recordings among the exfiltrated data.

The fallout

Meta pulled contracts, five suits filed

Meta paused its Mercor contracts indefinitely. Five contractors have filed suit. One complaint names LiteLLM and compliance startup Delve as co-defendants.

ItemWhat Mercor said publiclyWhat reports actually described
Scope“Very limited subset” of ~5M experts~40,000 contractors notified per reports
Data type“Contact information”Passport scans, SSNs, biometrics, videos
VolumeNot publicly quantified4TB per Lapsus$ leak-site listing
TimingQuickly detected and blockedAccess window: March 24 to March 30
NotificationInvestigation “now complete”Individual notices arrived ~3 months later
The 5 Moments That Turned a 40-Minute Bug Into a $10B Crisis
01

The 40-minute LiteLLM window

The entry point

On March 27, 2026, a threat group known as TeamPCP used compromised maintainer credentials to publish two malicious LiteLLM versions to PyPI: 1.82.7 and 1.82.8. The packages were live for roughly forty minutes before being pulled. That is not an unusually long window by open-source standards, but LiteLLM is not an unusually small package. According to Wiz Research, LiteLLM is present in roughly 36% of cloud environments, and Cybernews puts its monthly download volume near 97 million.

The malicious versions were designed to exfiltrate credentials from any system that installed them. LiteLLM’s own postmortem traces the root cause one step further back, to a separate compromise of a scanning tool called Trivy that had exposed sensitive tokens used in the LiteLLM CI/CD workflow. In other words: the poisoning of LiteLLM was itself the downstream result of a supply chain attack on the supply chain of LiteLLM.

The pattern will feel familiar to anyone who tracked log4j in December 2021. A single piece of shared infrastructure, so common it stops registering as a third-party dependency at all, becomes the highest-leverage target on the internet for a short window. LiteLLM in 2026 sits in the same category as log4j did then. It is glue code that connects application layers to LLM providers, and once it is installed, it sits deep inside CI/CD and runtime environments where credentials and tokens live. A poisoned version can silently pull whatever the surrounding process can reach.

💡 Why it mattered. Once a developer pulled the tainted version, harvested credentials could be used to pivot into cloud consoles, source repositories, and VPNs. Forty minutes of exposure was enough to catch Mercor and, by LiteLLM’s own accounting, thousands of other companies.
02

Lapsus$ lists Mercor for auction

The public escalation

Within days of Mercor’s short March 31 disclosure, the Lapsus$ extortion group added Mercor to its dark-web leak site and claimed to hold approximately 4 terabytes of internal data. The listing detailed candidate profiles, personally identifiable information, employer data, user accounts and credentials, video interviews, proprietary information, source code, API keys and secrets, and TailScale VPN records.

SecurityWeek reported that TeamPCP, the group behind the LiteLLM compromise, is believed to have partnered with Lapsus$ to monetize the access. This is a meaningful pattern change. Historically, Lapsus$ was best known for the 2022 attacks on Okta, Microsoft, Nvidia, and Samsung. TeamPCP has been more focused on open-source and cloud infrastructure. A collaboration between an infrastructure-focused compromise group and an established extortion brand is exactly the kind of vertical integration that made ShinyHunters’ Salesforce campaign so damaging and Cl0p’s MOVEit campaign so lucrative.

Mercor has neither confirmed nor denied the authenticity of the 4TB figure. Independent reporting from AllAboutCookies and Business Insider indicates roughly 40,000 contractors received breach notifications, a scale that is inconsistent with the “very limited subset” framing used in Mercor’s early public messaging. Whether the auction actually cleared, and to whom, is not publicly known. What is publicly known is that samples were posted to establish credibility, and those samples matched categories subsequently confirmed in the contractor notification emails.

💡 The gap that matters. “Very limited subset” of 5 million experts is Mercor’s number. 40,000 notified contractors is what reporters counted. Those two things can both be technically true and still leave a very large group of people whose passport scans are on a leak site.
03

Meta pauses contracts indefinitely

The customer fallout

Sources told Wired in early April that Meta had paused its Mercor contracts indefinitely. Mercor declined to comment. That decision matters more than it looks: Meta spent $14.3 billion on Mercor’s competitor Scale AI and still continued working with Mercor, because Mercor’s specialty is not raw labeling volume but access to domain experts, doctors, lawyers, and PhDs used to train reasoning-heavy models for OpenAI, Anthropic, Google, and Meta itself.

For a company reportedly on pace to hit over $1 billion in annualized revenue earlier in the year, per The Information, losing an anchor customer is a real revenue event, not a headline event. And Meta was almost certainly not alone in reviewing its exposure. Lab customers with SEC disclosure obligations, Microsoft, Google’s Alphabet, and Meta itself, had to privately determine whether evaluator metadata, rubrics, or program correspondence in Mercor’s environment qualifies as material under the SEC’s 2023 cybersecurity disclosure rules.

Mercor’s business model is what makes the Meta pause so consequential. The company was founded in 2023 by Brendan Foody, Adarsh Hiremath, and Surya Midha, all in their early twenties, and raised its $350 million Series C in October 2025 at a $10 billion valuation, led by Felicis Ventures. The pitch is that as frontier labs shifted from broad labeling to specialized reasoning training, they needed vetted domain experts on lab timelines, not gig-economy volume. Mercor operates a platform of roughly five million registered experts and moves them through video interviews, background checks, and NDA workflows before assigning them to lab projects. The vetting stack is exactly what got exfiltrated.

💡 Why this is a chokepoint. Mercor sits between the labs and the human experts who train them. A breach at Mercor is not just a breach of Mercor. It is a breach that potentially touches every AI lab that outsourced expert vetting to the same intermediary.
04

The Delve and Y Combinator fallout

The compliance angle

One of the five contractor lawsuits reviewed by TechCrunch named LiteLLM and Delve, an AI compliance startup, as co-defendants. The connection is that LiteLLM had used Delve to obtain its security certifications. Around the same time, an anonymous whistleblower accused Delve of allegedly faking data for those certifications and using rubber-stamping auditors. Delve denied the allegations while instituting operational changes, but by early April the reputational damage had begun. Y Combinator cut ties with Delve.

LiteLLM dropped Delve and moved to a different compliance partner. Mercor itself was not a Delve customer, the company confirmed to TechCrunch. But the sequence still lands somewhere uncomfortable for the industry: a widely used open-source AI library was certified through a compliance vendor now accused of rubber-stamping, and that library was then used to attack a startup valued at $10 billion. That is not a story about Delve alone. It is a story about a specific segment of the “AI compliance” market that grew fast in 2024 and 2025 by offering rapid SOC 2, ISO 27001, and HIPAA attestations to AI startups facing enterprise procurement questions for the first time.

The theory tested by the contractor lawsuit is that a compliance vendor that allegedly rubber-stamps controls contributes to downstream harm when those controls fail. Whether that theory survives a motion to dismiss will matter for the whole category. If it does, expect due diligence on compliance vendors themselves to become part of enterprise procurement checklists in a way it currently is not.

💡 The uncomfortable implication. “Compliance” in AI-adjacent open source is often theater. Certifications do not stop supply chain attacks. They only document that someone once believed a company had reasonable processes in place, and if that belief was based on faked evidence, the certification is a liability, not a shield.
05

The 3-month silence to individual contractors

The trust cost

Mercor’s March 31 statement acknowledged the LiteLLM incident. Its June 26 blog post announced that the third-party forensic investigation, assisted by Google’s Mandiant and security firm Latacora, was complete. In between, according to AllAboutCookies’ review of notification emails, most affected contractors did not receive individualized breach notices confirming their data had been touched. The notification emails, sent from mercor@notifications.cyberscout.com, arrived at scale roughly three months after the initial exposure window.

For the ~40,000 contractors reportedly notified, that gap has a real cost. During those three months, they could not place fraud alerts, could not freeze credit with specificity, and could not know whether the phishing attempts hitting their inbox were tied to Mercor or ambient noise. The company’s stated position, that most of the data affected was “contact information,” is inconsistent with the passport scans, SSNs, facial biometrics, and video interview recordings cited in independent reporting and in the five contractor lawsuits filed since April.

There is also a regulatory dimension. California’s CCPA, Illinois’ Personal Information Protection Act, New York’s SHIELD Act, and Texas’ identity theft statutes all trigger notification obligations when SSNs are involved. The specific timing rules vary, but “as soon as reasonably possible” is the general standard, and a three-month gap between confirmed exposure and mass notification will invite scrutiny. Affected EU-based contractors have GDPR data-subject rights that force Mercor to disclose precisely what categories of personal data were exfiltrated, on request, within one month. Those DSAR requests are already being filed.

💡 What the gap costs. Delayed notification is not just bad optics. FTC Section 5 authority has been used repeatedly to penalize companies that failed to maintain “reasonable security,” and open-dependency hygiene is squarely inside that category now. The Mercor timeline is the exact fact pattern that becomes case law.
📊 By the Numbers
40 min
LiteLLM tainted-package window
💾
4 TB
Data claimed by Lapsus$
💰
$10B
Mercor’s Oct 2025 valuation
📅
3 months
Gap to individual notifications

A 40-minute open-source hack, a
$10 billion startup, and 3 months of
silence between them.

That’s the shape of a 2026 AI supply chain incident.
The AI Stack of 2026 Looks Like the Cloud Stack of 2014

The deeper story behind the Mercor breach is structural. The AI stack of 2026 is composed of a small number of widely shared open-source primitives: LiteLLM, LangChain, Triton, vLLM, Ray, Helm. These libraries have moved from “interesting tools” to “load-bearing infrastructure” without the corresponding investment in dependency hygiene, package signing, cryptographic attestation, and incident response.

Security researchers have been tracking this migration for years. The chokepoints keep moving: operating systems in the early-2000s patch worms, OS-level package managers in the 2010s npm and PyPI incidents, CI/CD systems in the Codecov era, identity and SaaS in the Okta and MOVEit years, and now AI-specific middleware. LiteLLM is to the LLM stack what log4j was to Java logging in 2021, a piece of plumbing so common it stopped being treated as a third-party dependency at all.

Each successive incident has shortened the window between dependency compromise and downstream impact. In log4j’s case, exploitation took days to weeks. In LiteLLM’s case, forty minutes of tainted-package availability was enough to reach a $10 billion startup’s video interview archive. The direction of travel is compressing, not stretching.

The fix, to the extent one exists, involves things that are neither novel nor exciting: signed packages with hardware-backed maintainer keys, reproducible builds, mandatory attestation for high-privilege dependencies, and internal review of every net-new import into production. None of these things are secrets. They are just underinvested. Mercor’s breach did not happen because the industry lacked the technology to prevent it. It happened because a small number of shared primitives grew load-bearing faster than the ecosystem around them grew defensive, and one poisoned package on one Friday in March landed in the wrong CI/CD workflow.

Timeline — LiteLLM Compromise to Mercor Notifications Mar 27 LiteLLM 40-min poisoning window Mar 31 Mercor confirms supply chain hit Early Apr Lapsus$ lists 4TB Meta pauses contracts Apr-Jun 5 lawsuits filed Forensic work ongoing Late Jun Individual notices sent to contractors ≈ 3 months between root-cause window and individual contractor notification
📅 What to watch through the rest of 2026
  • State AG action. California, New York, Texas, and Illinois have aggressive breach-notification statutes that trigger on SSN exposure. Delayed notice is the kind of fact pattern AGs pursue.
  • Class action consolidation. Five contractor suits have already been filed. Expect motions to consolidate, and expect the LiteLLM and Delve theories to be tested in discovery.
  • Meta contract status. Whether Meta resumes Mercor contracts, and on what terms, is the clearest signal of how lab customers are pricing Mercor’s security posture now.
  • FTC Section 5 scrutiny. Open-source dependency hygiene is now on the FTC’s list of “reasonable security” expectations. A Mercor case would establish precedent.
  • LiteLLM’s ongoing security posture. LiteLLM’s second-choice compliance vendor and its Trivy-related remediation are the tell for whether the ecosystem is actually changing.

⚠️ Four things to keep in mind reading Mercor’s disclosures

1. “Contact information” is a very small word for what was on the leak site. Reports and lawsuit filings describe passport scans, SSNs, facial biometrics, and video interviews. Mercor’s public language has been narrower than the independent reporting, and the notification emails sent to contractors describe categories that go beyond simple contact data.

2. “Thousands of companies were affected” is true and not exonerating. LiteLLM’s 36% cloud-environment footprint means many companies pulled the tainted package. What differentiates Mercor is not that it was hit. It is what Mercor stored (biometrics, government IDs, video), how long attackers had, and how long it took to tell affected people.

3. Certifications do not stop supply chain attacks. LiteLLM was certified through Delve. Delve was accused of rubber-stamping. Certifications are a documentation artifact, not a defensive control. If enterprise procurement is treating them as controls, that is the actual security gap.

4. Attribution is provisional. Reporting attributes the LiteLLM compromise to TeamPCP and the 4TB auction to Lapsus$, with a claimed partnership between them. Threat-actor attribution based on leak-site branding is soft evidence. What is firm is the timeline, the data categories, and the notification gap.

✅ The Bottom Line

Mercor 4TB breach, what to remember

1
The trigger: LiteLLM PyPI versions 1.82.7 and 1.82.8, live for ~40 minutes on March 27, containing credential-harvesting malware from the TeamPCP group.
2
The scope: Lapsus$ listed 4TB. Mercor called it a “very limited subset.” Roughly 40,000 contractor notifications went out, per reports.
3
The data: Passport scans, SSNs, facial biometrics, video interview recordings, TailScale VPN records, source code, API keys.
4
The customer hit: Meta paused Mercor contracts indefinitely. Five contractor lawsuits filed. One names LiteLLM and Delve as co-defendants.
5
The timing gap: Roughly three months between the March 27 exposure window and mass individual contractor notifications in late June.
🔗 For the original TechCrunch reporting on the Mercor fallout and Meta contract pause, see TechCrunch’s coverage of the Mercor breach.
💬 Frequently Asked Questions
Q. What actually caused the Mercor 4TB breach?
The root cause was a supply chain attack on LiteLLM, an open-source Python library widely used in AI development. On March 27, 2026, the TeamPCP group used stolen maintainer credentials to publish two malicious versions of LiteLLM (1.82.7 and 1.82.8) to PyPI. They were live for roughly 40 minutes and contained credential-harvesting malware. Mercor was one of many companies that installed the tainted package.
Q. Is the 4TB number confirmed?
The 4TB figure comes from the Lapsus$ extortion group’s leak-site listing. Mercor has not confirmed or denied the figure. Independent security reporting from SecurityWeek, Cybernews, and Hackread describes the same 4TB claim and the same categories of stolen data. Whether every listed file is authentic remains publicly unverified, but the categories (passport scans, SSNs, source code, TailScale VPN data) match what contractor notification emails have since described.
Q. Did Meta really stop working with Mercor?
According to Wired’s reporting, sources said Meta paused its Mercor contracts indefinitely in the weeks after the breach. Mercor declined to comment. Meta’s continued relationship with Mercor had been notable in the industry because Meta had already spent about $14.3 billion on Mercor’s competitor Scale AI, and the fact that it still used Mercor was seen as a signal of how valuable Mercor’s expert-vetting model is to reasoning-model training.
Q. What should I do if I got a Mercor breach notification email?
Enroll in the identity protection service Mercor offered in the notification, place a fraud alert or credit freeze with the major bureaus, and stay alert for targeted phishing that references your Mercor contractor role or specific project history. The stolen data categories (passport scans, SSNs, facial biometrics, video interviews) are personal enough that any follow-up scam could be highly convincing. Notifications came from mercor@notifications.cyberscout.com. Verify any inbound outreach through Mercor’s official channels before responding.
Q. Does this mean OpenAI, Anthropic, or Google training data was exposed?
Publicly, no. None of Mercor’s lab customers have confirmed that their model training data or weights were touched. What labs are having to assess privately is a narrower question: whether evaluator metadata, NDAs, rubrics, or program management correspondence in Mercor’s environment qualifies as a notifiable disclosure under their own customer contracts and SEC obligations. That is a different conversation from “training data leaked,” and it is the conversation that has actually been happening at Microsoft, Alphabet, and Meta legal teams since April.
Q. Is Mercor going to survive this?
Probably yes, based on public reporting. Mercor was reportedly on pace to hit over $1 billion in annualized revenue before the breach, and the underlying business (fast access to vetted domain experts on lab timelines) still solves a real problem. Meta paused, not terminated. The lawsuits are contained to five plaintiffs so far. What is not clear is whether the next funding round prices in the security posture the way it priced in the growth curve. Mercor’s next major test is not survival. It is whether the AI labs treat “we hired Mandiant and Latacora” as sufficient going forward, or whether they push for structural changes like on-premise vetting, tokenized biometrics, and independent audit of the CI/CD chain.
✍️
Editor’s Note. Timeline and technical details verified through TechCrunch, SecurityWeek, Cybernews, Hackread, AllAboutCookies, Wired, Business Insider, and Mercor’s own security blog. The 4TB figure is per the Lapsus$ leak-site listing and remains not independently authenticated. Contractor notification data is drawn from AllAboutCookies’ review of notice emails sent from mercor@notifications.cyberscout.com. Case reference: In re Mercor LiteLLM Supply Chain Incident, March 2026.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top