Update on Mercor security incident

In late March 2026, Mercor was affected by a supply chain cyber attack affecting a significant number of companies caused by malware affecting LiteLLM, a commonly used open-source tool. We quickly discovered the activity, secured our systems, and conducted a robust and comprehensive investigation assisted by leading third-party forensics experts. That investigation is now complete. We want to share what happened, what we found, and what we’ve done to protect our customers, experts, and employees.

What happened

In March, a malicious actor published compromised versions of LiteLLM designed to exfiltrate credentials from any system that installed them. Our security team determined that Mercor was affected during the relevant timeframe and immediately took action to contain unauthorized activity.

We worked with leading industry experts including Google’s Mandiant, Latacora, industry peers, and law enforcement to investigate and take appropriate action. We worked to get answers as quickly as possible while also prioritizing accurate information.

What the investigation found

• Experts: Of our nearly five million experts, only a very limited subset had sensitive information affected. There is no evidence that any of this data has been used fraudulently. We are in the process of notifying these individuals directly. The notifications will include details about the type of information affected along with an offer of TransUnion identity protection services.
• Customers: Because of how our work is structured, many of our customers operate on their own platforms rather than ours, meaning the impact to customer information was very limited. We were in direct and regular contact with our customers throughout the investigation and have shared findings specific to each of them. We are grateful for their cooperation as we worked through this situation and are pleased to report that all frontier labs have increased their work with us over the last few months.
• Employees: No employee data was affected.

What we’ve done

• We prioritized timely and direct communication with our customers, experts, and employees as we had information to share.
• We’ve taken steps to further invest in and strengthen our security posture, including:
  • Auditing all third-party dependencies
  • Regularly rotating all credentials and access keys across our cloud platforms, GitHub, and SaaS systems
  • Deploying restrictive cloud security policies and tightened network controls
  • Ongoing open-box penetration testing by independent security researchers
  • Implementing 24/7 managed detection and response

Looking forward

Mercor has taken many steps to further strengthen our systems, including implementing more safeguards, expanding security protections, and enhancing our monitoring processes. We will continue to invest in our team and systems to ensure we are a trusted partner to experts and customers. We appreciate the patience, support, and trust of our community.

We believe as AI gets more powerful, human expertise gets more valuable. We're building the company that makes that true and creates real economic value for people. We look forward to continuing that focus with them and building a generational company focused on truly consequential work.