— Index —
01What we track02Protect yourself03Questions04Updates05Press
Subscribe
Case Nº MC-2026-0416Latest entry April 16, 2026
§ About

Real developments — collected, dated, and shown alongside the sources that back them up.

Open & updated
Posted6 updates
Source-backedYes
Ties to MercorNone
AccessPublic
§ Contents
  1. § 01Mercor issued an email notice to affected people
  2. § 02TechCrunch confirms Mercor was hit by a cyberattack
  3. § 03The incident is linked to a compromise of the LiteLLM project
  4. § 04A sample of allegedly stolen data was shown publicly
  5. § 05What Mercor's own policies say it collects
  6. § 06MercorClaims opens the public archive
Source-Backed

What’snew.

This page collects meaningful public updates in one place so visitors can quickly see what has been shared and what sources back it up.
UpdateSource-backedCompiled from open sourcesUpdated as new material arrivesAlways freeUpdateSource-backedCompiled from open sourcesUpdated as new material arrivesAlways freeUpdateSource-backedCompiled from open sourcesUpdated as new material arrivesAlways free
The record

§ Entries

What has
been confirmed.

Every entry below is tied to a source — a notice, a news story, a policy page, or a filing. Read it end-to-end and judge for yourself.

Update 01 · April 16, 2026
Source-Backed
01

Mercor issued an email notice to affected people

A notice from Mercor, to affected parties.

A screenshot provided to MercorClaims shows Mercor sending an initial notice about the incident to affected people. In the message, the company says it moved quickly to secure systems, opened an investigation, and brought in third-party forensic experts.

§ What the record shows
Nº of points · 04
  1. § 01

    Mercor describes the event as a recent security incident that affected its systems alongside many other organizations worldwide.

  2. § 02

    The company says it took prompt action to secure its systems and started a thorough investigation immediately after learning about the incident.

  3. § 03

    The notice says leading third-party forensic experts are supporting the investigation.

  4. § 04

    Mercor says it is unable to share more information yet while the investigation remains active.

§ Why this matters

This is the first direct source on the site showing that Mercor emailed affected people, confirmed the breach, and said the investigation is still in progress.

§ Note

The notice also says Mercor cannot share additional detail yet because the investigation is ongoing, and that future updates will be shared through official Mercor channels as appropriate.

§ Source

Source: screenshot of the email notice shared with affected people.

Update 02 · April 03, 2026
Press Record
02

TechCrunch confirms Mercor was hit by a cyberattack

A first-party confirmation, on the record.

On March 31, 2026, TechCrunch reported that Mercor confirmed it was affected by a security incident — the first on-the-record confirmation from the company to a news outlet. The story is the earliest widely cited public source tying the incident to Mercor by name.

§ What the record shows
Nº of points · 04
  1. § 01

    TechCrunch reported that Mercor confirmed it had been affected by a security incident.

  2. § 02

    The outlet tied the Mercor incident to the compromise of the open-source LiteLLM project used across the AI industry.

  3. § 03

    Mercor said it had moved promptly to contain and remediate the incident.

  4. § 04

    Mercor said leading third-party forensic experts were assisting with the investigation.

§ Why this matters

Until this story, the incident had not been publicly confirmed by Mercor. The TechCrunch report fixes a date, a cause, and a first response on the record.

§ Note

The TechCrunch article remains the primary-media anchor point for the timeline. Anything that predates it is either rumor, a leaked sample, or internal to Mercor.

§ Source

Source: TechCrunch, “Mercor says it was hit by cyberattack tied to compromise of open source LiteLLM project,” March 31, 2026.

Update 03 · April 03, 2026
Root Cause
03

The incident is linked to a compromise of the LiteLLM project

A cause, not just a consequence.

Public reporting ties the Mercor incident to a compromise of LiteLLM — a widely used open-source project that brokers calls between applications and large-language-model providers. The link matters because it reframes the breach as a supply-chain event, not an isolated Mercor-only failure.

§ What the record shows
Nº of points · 04
  1. § 01

    LiteLLM is an open-source proxy/library used to route requests between applications and LLM providers.

  2. § 02

    Public reporting says the Mercor incident is tied to the compromise of LiteLLM.

  3. § 03

    Mercor's own notice describes the event as one that affected its systems alongside many other organizations worldwide.

  4. § 04

    Because the compromise is upstream, other organizations that depend on LiteLLM may be affected by the same root event.

§ Why this matters

A supply-chain compromise is qualitatively different from a direct breach. It widens the question from “what did Mercor do” to “what did everything downstream of LiteLLM do.”

§ Note

LiteLLM is used by a large number of AI companies as infrastructure glue. A compromise of its software supply chain can ripple outward into any organization that depends on it.

§ Source

Source: TechCrunch reporting, March 31, 2026; corroborated by Mercor's own description of the event as affecting its systems “alongside many other organizations worldwide.”

Update 04 · April 03, 2026
Unverified Sample
04

A sample of allegedly stolen data was shown publicly

What the threat actor claimed to have.

According to TechCrunch, a sample of data purportedly stolen from Mercor included references to internal Slack data and what appeared to be ticketing data. The same report says the sample also included two videos purportedly showing conversations between Mercor's AI systems and contractors on the platform.

§ What the record shows
Nº of points · 04
  1. § 01

    The preview referenced Slack data — i.e., internal workplace-chat content.

  2. § 02

    The preview also referenced what appeared to be ticketing data — i.e., internal support or workflow tickets.

  3. § 03

    Two short videos were shown, purportedly recording conversations between Mercor's AI systems and platform contractors.

  4. § 04

    No independent verification of the sample's authenticity has been published.

§ Why this matters

If authentic, the sample suggests the incident reached beyond public-facing records into internal communications and platform-recorded sessions with contractors.

§ Note

Claims made by a threat actor are not, on their own, proof of what was taken. The sample gives a sense of the categories being advertised; the full scope remains unconfirmed.

§ Source

Source: TechCrunch, March 31, 2026. The sample has been described by the outlet but has not been independently authenticated by MercorClaims.

Update 05 · April 10, 2026
Context
05

What Mercor's own policies say it collects

Context for what could be at risk.

Mercor's public privacy policy and its AI-and-data documentation list the categories of information the platform collects. These documents don't say what was taken — but they define the outer envelope of what could plausibly be at risk in an incident affecting Mercor systems.

§ What the record shows
Nº of points · 04
  1. § 01

    The privacy policy lists name, email, phone, resume, work history, skills, and account credentials among the data the platform collects.

  2. § 02

    It also lists interview recordings and transcripts, profile photos, and salary expectations.

  3. § 03

    The AI/data documentation adds video or audio interviews, AI transcripts, public profile data, and location and work preferences.

  4. § 04

    It also notes that, if provided or authorized, payment, tax, or background-check-related information may be held.

§ Why this matters

People trying to understand their exposure need to know what the platform holds in the first place. Mercor's own documents are the most authoritative answer available today.

§ Note

Scope of exposure is still not confirmed by Mercor. This entry is a reading of Mercor's own public documents and is provided for context, not as a claim about what the incident touched.

§ Source

Source: Mercor Privacy & Cookies policy (last updated August 27, 2025); Mercor's “How Mercor Uses AI and Data” documentation.

Update 06 · April 16, 2026
Site Update
06

MercorClaims opens the public archive

A single place to read the record.

MercorClaims opened its public archive to collect, date, and cite the material surfacing around the Mercor incident. The archive links every entry back to the public source it came from, so visitors can read the record rather than a summary of it.

§ What the record shows
Nº of points · 04
  1. § 01

    The archive covers email notices, press reporting, court filings, and public statements tied to the Mercor incident.

  2. § 02

    Each entry includes a badge, a date, a summary, and a citation back to the underlying source.

  3. § 03

    The archive is not a law firm.

  4. § 04

    New entries are added as new sources become public; older entries are preserved unchanged.

§ Why this matters

Breach coverage is scattered. A single dated, cited record helps visitors judge what is known — and what is still open.

§ Note

The archive is free and will remain free. It does not collect names, emails, or accounts to read — email updates are opt-in only.

§ Source

Source: site launch notice published by MercorClaims editors, April 16, 2026.

Back to homeVisit the press room
§ About this site

More updates
as they arrive.

More notices, court filings, confirmed public statements, and social coverage will be added here as new sources become available.

Have a source to share? Send it to the editors — every addition is checked, dated, and cited before it’s posted.