Mercor Data Breach

In or around March 2026, Mercor, an AI recruiting and data training platform, experienced a significant cybersecurity incident reportedly linked to a supply-chain vulnerability involving the open-source software LiteLLM. According to public reporting and allegations in filed litigation, unauthorized actors were able to access Mercor’s systems and exfiltrate a substantial volume of data—reportedly on the order of several terabytes—potentially including highly sensitive personal and professional information belonging to candidates and contractors who used the platform.

On April 21, 2026, Hausfeld LLP and Hall Attorneys, P.C. filed a putative class action lawsuit in the U.S. District Court for the Northern District of California on behalf of individuals whose personal information may have been compromised. The complaint alleges that Mercor’s AI-driven labor platform centralized a wide range of sensitive data, including recorded AI interviews, facial biometric data, background-check dossiers, tax and banking information, and personal-device screenshots captured through Insightful monitoring, and that a LiteLLM supply-chain compromise enabled the exfiltration of approximately four terabytes of that data.

The information at issue may include recorded video interviews and related biometric data, background check and identity verification materials, tax and banking information, and other personally identifiable information. The complaint further alleges that certain monitoring tools captured screenshots or other activity from users’ devices, raising additional concerns about the scope of the data exposed. It also alleges that Mercor processed and retained this data through AI-driven scoring systems and client-facing review tools, effectively creating employment-related profiles that individuals could not meaningfully access, correct, or challenge.

According to the complaint, a group identifying itself as “TeamPCP” claimed responsibility for the intrusion, which allegedly occurred on or about March 24, 2026. The complaint further cites public reporting describing the scope of the data exfiltration, including approximately 211 GB of candidate records (such as resumes, verified contact information, and Social Security numbers), approximately 3 TB of video and identity-verification data (including interview recordings and government identification documents), and approximately 939 GB of source code and internal systems data.

Given Mercor’s role in connecting individuals with companies seeking data for artificial intelligence training, the breach raises broader concerns about how sensitive personal data is collected, stored, and used in the rapidly evolving AI industry. Individuals whose information was compromised may face an increased risk of identity theft, financial fraud, or misuse of biometric and other sensitive data.

The lawsuit asserts claims including failure to implement reasonable data security measures, negligence, and violations of applicable privacy and consumer protection laws, including the Fair Credit Report Act, and seeks damages and injunctive relief on behalf of affected individuals.

You may have been impacted if you applied for or performed work through Mercor, participated in interviews or onboarding processes, or otherwise provided personal or financial information to the platform. If you believe your information may have been affected and would like to learn more about your rights, please contact our team.

The case is: Ananthula, et al. v. Mercor.io Corporation, et al., No. 3:26-cv-03362 (N.D. Cal.)

HAVE YOU BEEN AFFECTED?

If you believe that you may have been affected by any of the above and you would like to learn more, please complete this form.

Please do not include any confidential information when submitting this form. No lawyer-client relationship is formed unless and until an engagement agreement is signed.

First Name
Company Name
Last Name
Email Address
Phone Number
Claim Name
Further contact I would like Hausfeld to contact me with further information: