What Happened in the Mercor Data Breach?
Mercor, an AI training data platform that connects frontier AI labs with domain experts, confirmed it suffered a cyberattack that exposed sensitive personal information. The Mercor data breach came to light after TechCrunch reported on March 31, 2026, that the company had been affected by a supply chain compromise tied to the open-source project LiteLLM. As a result, thousands of companies using LiteLLM, including Mercor, were caught up in the incident.
According to available information, malicious code was discovered inside a package connected to the LiteLLM project. This compromise has been linked to a hacking group known as TeamPCP. The unauthorized access to Mercor’s systems reportedly occurred between March 24, 2026, and March 30, 2026. Investigators say the malicious code was identified and removed within hours of discovery, though the intrusion window had already allowed data to be accessed.
Notably, the extortion group Lapsus$ claimed responsibility for targeting Mercor specifically. On March 30, 2026, the group posted on Telegram claiming it was selling Mercor’s data. The group alleged the stolen material totaled four terabytes, including databases, source code, and customer and employee data. Mercor has not confirmed whether the Lapsus$ claims are directly connected to the LiteLLM-related compromise.
Mercor formally disclosed the incident to the California Attorney General on June 25, 2026. This filing, along with notifications to other state regulators, confirmed the scope of the breach following an internal investigation into the unauthorized access.
Who was affected?
The Mercor data breach affected a total of 21,677 individuals nationwide. Because Mercor operates a platform connecting AI labs with domain experts, the affected population likely includes both customers and employees. Lapsus$’s claims specifically referenced customer and employee data being part of the stolen material.
State-level filings offer a glimpse into the geographic spread of those affected. For example, Texas reported 2,025 impacted residents, Massachusetts reported 778, Indiana reported 238, and Vermont reported 35. These numbers suggest the breach reached individuals across many states, not just a single region.
At this time, it hasn’t been publicly disclosed whether minors were among those affected. Given the nature of Mercor’s business, it’s likely that most affected individuals are adults who either worked with the platform as domain experts or were employed by the company directly.
What Information Was Potentially Exposed?
The categories of personal information tied to this breach are especially sensitive. Based on statements from Mercor and claims made by Lapsus$, the exposed data may include a range of identifying details used to verify identity and access financial accounts.
- Full names
- Social Security numbers
- Driver’s license numbers
- Passport numbers
- State-issued ID card numbers
- Home addresses
- Dates of birth
Because Social Security numbers and government ID numbers were involved, the risk to affected individuals is significant. Criminals can use this type of information to open new credit accounts, file fraudulent tax returns, or apply for loans in someone else’s name. This kind of identity theft can take months or years to fully resolve.
In addition, the combination of names, addresses, and dates of birth makes it easier for scammers to craft convincing phishing messages. As a result, affected individuals may see an uptick in fraudulent emails, calls, or texts that appear to come from legitimate institutions. This is why ongoing vigilance is so important in the months following a breach like this one.
What is the company doing?
Once Mercor became aware of the incident, the company took steps to contain and remediate the security issue. A Mercor spokesperson confirmed to TechCrunch that the malicious code tied to the LiteLLM compromise was removed within hours of discovery. However, the company declined to answer follow-up questions about whether the incident was connected to the Lapsus$ claims.
Mercor is now offering affected individuals 24 months of complimentary credit monitoring and identity restoration services through TransUnion. Individuals must enroll by October 1, 2026, to take advantage of these services. In addition, Mercor has set up a dedicated call center to answer questions about the incident and assist with enrollment in the TransUnion services.
What Should Affected Individuals Do?
Enroll in the Free Credit Monitoring Offered
If you received a notification letter from Mercor, you should enroll in the complimentary credit monitoring and identity restoration services right away. These services can help detect suspicious activity on your credit file before it causes lasting damage.
Because enrollment closes on October 1, 2026, it’s important not to delay. You can call the dedicated hotline at 1-844-507-8047 during business hours if you need help signing up or have questions about the process.
Place a Fraud Alert or Credit Freeze
Given that Social Security numbers and government ID numbers were potentially exposed, placing a fraud alert or credit freeze is a strong protective step. A credit freeze restricts access to your credit report, which makes it much harder for identity thieves to open new accounts in your name.
To freeze your credit, you’ll need to contact each of the three major credit bureaus separately. Alternatively, a fraud alert is easier to set up and only requires contacting one bureau, though it offers a shorter layer of protection than a freeze.
Monitor Your Credit Reports and Financial Accounts
You should regularly review your credit reports for accounts or inquiries you don’t recognize. Under federal law, you’re entitled to a free credit report from each of the three major bureaus every year, so use this to your advantage.
In addition, checking your bank and credit card statements often can help you catch unauthorized charges early. If you notice anything unusual, report it to your financial institution immediately so they can investigate and limit any damage.
Stay Alert for Phishing Attempts
Because your name, address, and date of birth may have been exposed, scammers could use this information to craft convincing phishing messages. Be cautious of unexpected emails, texts, or phone calls asking you to verify personal details or click on links.
Instead of responding directly, contact the company through its official website or phone number if you’re unsure whether a message is legitimate. This simple step can prevent you from accidentally handing over more sensitive information to a scammer.
Consider Speaking With a Data Breach Attorney
Given the sensitive nature of the data involved, including Social Security numbers and government-issued ID numbers, affected individuals may want to consult with an attorney who focuses on data breach cases. An attorney can help you understand your legal rights and whether you may be eligible for compensation.
Many data breach attorneys offer free case evaluations, so there’s little risk in reaching out to discuss your situation. This can also help you understand any deadlines that may apply if you decide to pursue legal action related to this breach.
More Information
Official State Attorney General Notification
Official Data Breach Notification Letter (PDF)
Official Notice from Techcrunch
Official State Attorney General Notification
