Mercor is a $10 billion AI data training startup. Today, it is still reeling from the effects of a major data breach that occurred on March 31. The firm was on pace to exceed $1 billion in annualized revenue at the beginning of this year. Today, it confronts a difficult winter as it contends with the impact of this malicious cyberattack.
The breach originated from a compromise in the open-source LiteLLM project. This exploit allowed one such hacker group to steal an eye-watering 4 terabytes of sensitive data from Mercor’s systems. This incredibly sensitive stolen data includes profiles of candidates, PII, employer data, source code, and API keys. The implications of this breach are far-reaching, not just for Mercor, but its contractors and clients.
To further complicate matters, five of Mercor’s contractors have sued, claiming improper exposure of personal information. The lawsuits name LiteLLM and Delve, an AI compliance startup that helped LiteLLM get security certifications. Delve is in hot water now as well. An anonymous whistleblower has claimed that the company manufactured data in order to get its certifications and employed rubber-stamping auditors.
And yet, in the midst of all this chaos, Mercor manages to close a $350 million Series C funding round less than six months earlier. That accomplishment raised its valuation as high as $10 billion. That capital was supposed to launch the company into orbit on its extraordinary growth targets. The widespread breach that was revealed this week has thrown those aspirations into serious doubt.
Mercor’s tools were found to contain credential harvesting malware able to steal login credentials for up to 40 minutes. This disturbing discovery calls into question the security practices employed across the company’s infrastructure.
“Mercor will continue to communicate with our customers and contractors directly as appropriate and devote the resources necessary to resolving the matter as soon as possible,” stated a company representative. This commitment is a tangible sign of Mercor’s desire to lead in addressing the crisis.
OpenAI told us it is working to actively investigate its own exposure related to the breach. It has not suspended or terminated its contracts with Mercor so far. Instead, this small drama underlines just how incestuous the young AI sector is. It poses big questions about the impact on data security.
The repercussions from this act cannot be understated. LiteLLM’s tool is installed hundreds of millions times every day vastly amplifying the risk of exposure. These allegations have cast doubt on the credibility of both LiteLLM and Delve. Unfortunately, this new reality may even throw a curve of complications into Mercor’s amazing recovery efforts.
Leave a Reply