All About Cookies is an independent, advertising-supported website. Some of the offers that appear on this site are from third-party advertisers from which All About Cookies receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear).
All About Cookies does not include all financial or credit offers that might be available to consumers nor do we include all companies or all available products. Information is accurate as of the publishing date and has not been provided or endorsed by the advertiser.
The All About Cookies editorial team strives to provide accurate, in-depth information and reviews to help you, our reader, make online privacy decisions with confidence. Here's what you can expect from us:
AI hiring platform Mercor has officially completed a third-party forensic investigation into a March 2026 supply chain cyberattack, confirming that hackers successfully exfiltrated sensitive user data.[1]
The breach occurred between March 24 and March 30, 2026, stemming from a malicious update injected into LiteLLM, a popular open-source tool used widely across the AI sector.
While Mercor stated that the breach affected only a "very limited subset" of its nearly five million experts, independent cybersecurity reports and active class-action lawsuits indicate that approximately four terabytes of data — impacting over 40,000 contractors — were stolen.
Here's what was taken, why this breach is harder to shake than most, and what to do if you received a notification.
Though the attack took place in late March, the startup waited roughly three months to notify users, sending out official data breach notices on June 25 and 26.
Mercor defended the timeline, stating it delayed disclosure to allow third-party forensic firms Mandiant and Latacora, alongside law enforcement, to accurately map the damage.
However, the three-month delay has already sparked major legal blowback. A putative class-action lawsuit filed in California, Ananthula v. Mercor.io Corp, alleges the company failed to maintain adequate cybersecurity. At least seven suits have now been filed in federal courts in California and Texas.
While Mercor's official update maintains there is "no evidence that any of this data has been used fraudulently," cybersecurity firms have tracked the stolen cache being shopped around dark web forums. Extortion hacking group Lapsus$, which claimed responsibility for the breach, listed the stolen cache on dark web forums and began auctioning it to potential buyers.
According to Mercor’s official post, no employee data was affected, and the customer impact was minimal because clients operate on their own isolated infrastructure.
For the impacted contractors, however, the stolen 4-terabyte haul goes far beyond basic contact information. According to court filings, the compromised data includes:
The company said it began notifying affected individuals on June 25 and June 26 from mercor@notifications.cyberscout.com, with emails detailing what information was involved and offering complimentary TransUnion identity protection services.
The notification email, titled Notice of Data Breach, provides additional detail about the incident and confirms attackers had access to some Mercor systems between March 24 and March 30.
/images/2026/06/26/mercor_email.png)
"The malware enabled the unauthorized actor to access some of our systems between March 24-30, 2026. We quickly detected and blocked the activity while working with third-party security experts to investigate what happened and further strengthen our security."
"Following the investigation, we determined that your contact information were downloaded by the threat actor," they added.
Mercor says it has strengthened its security since the incident by:
The company said it will continue investing in additional safeguards and monitoring to help prevent similar incidents in the future.
If you receive an email from mercor@notifications.cyberscout.com, it's worth reading carefully to determine whether your information was involved and to take advantage of any identity protection services being offered.
If you receive a notification from Mercor, don't ignore it.
Mercor confirmed that a March 2026 supply chain attack exposed passport scans, Social Security numbers, facial biometrics, and video interview recordings belonging to a subset of its nearly five million contractors — and the company waited three months to say so.
If you worked with Mercor and received a notice, enroll in the offered identity protection, consider placing a fraud alert or freeze on your credit, and stay alert for targeted phishing. The stolen data is personal enough that follow-up scams could be convincing.
ID theft protection that monitors your SSN, bank accounts, credit cards, and brokerage and retirement accounts for suspicious activity
Every plan includes the full feature set, so no additional cost to unlock monitoring, insurance, or restoration
Bundles data removal with identity theft protection, antivirus, VPN, and a password manager in one subscription
/images/2023/10/12/best_identity_theft_protection_with_dark_web_monitoring.jpg)
/images/2026/06/04/best_lifelock_alternatives.jpg)
/images/2026/06/26/mercor-ai-data-breach-june-2026.png)
/images/2026/06/26/lastpass-data-breach-june-2026.png)
/images/2026/06/23/smartphone_with_hacked_inscription_and_sad_emoji_icon_on_screen.jpg){kind=icon}
/images/2026/06/09/instagram_logo_mobile_app_on_a_screen_smartphone_iphone_closeup..jpg){kind=logo}
/images/2026/05/30/7-11_or_seven_eleven_24_hours_convenience_store_franchise_logo_at_fron_unA3lb5.jpg){kind=logo}
/images/2026/05/27/pearland_texas_usa_-_february_19_2022_closeup_of_krispy_kreme_restaura_1ebMGCm.jpg)
/authors/thomas-kent-headshot-cropped.png){kind=small}
/authors/kalleigh-lane-new.jpg){kind=small}
/images/2023/05/25/logo-aura.png){kind=logo}
/authors/thomas-kent-headshot-cropped.png)