--- title: "Updates" description: "Mercor incident updates, including sources and public notices, collected in one place." canonical_url: "https://alpha.mercor.instalaw.io/updates" last_updated: "2026-04-02" --- # Mercor updates, notices, and sources. This page collects meaningful public updates in one place so visitors can quickly see what has been shared and what sources back it up. ## Mercor issued an email notice to affected people **Badge:** Update 01 **Date:** April 16, 2026 A screenshot provided to MercorClaims shows Mercor sending an initial notice about the incident to affected people. In the message, the company says it moved quickly to secure systems, opened an investigation, and brought in third-party forensic experts. ### What the record shows - Mercor describes the event as a recent security incident that affected its systems alongside many other organizations worldwide. - The company says it took prompt action to secure its systems and started a thorough investigation immediately after learning about the incident. - The notice says leading third-party forensic experts are supporting the investigation. - Mercor says it is unable to share more information yet while the investigation remains active. ### Why this matters This is the first direct source on the site showing that Mercor emailed affected people, confirmed the breach, and said the investigation is still in progress. ### Additional context The notice also says Mercor cannot share additional detail yet because the investigation is ongoing, and that future updates will be shared through official Mercor channels as appropriate. ### Source material Source: screenshot of the email notice shared with affected people. ### Evidence snapshot ![Recreated screenshot of Mercor's incident notice email to affected people.](/updates/mercor-email-notice.svg) Original screenshot shared with MercorClaims · redactions by the source. ## TechCrunch confirms Mercor was hit by a cyberattack **Badge:** Update 02 **Date:** April 03, 2026 On March 31, 2026, TechCrunch reported that Mercor confirmed it was affected by a security incident — the first on-the-record confirmation from the company to a news outlet. The story is the earliest widely cited public source tying the incident to Mercor by name. ### What the record shows - TechCrunch reported that Mercor confirmed it had been affected by a security incident. - The outlet tied the Mercor incident to the compromise of the open-source LiteLLM project used across the AI industry. - Mercor said it had moved promptly to contain and remediate the incident. - Mercor said leading third-party forensic experts were assisting with the investigation. ### Why this matters Until this story, the incident had not been publicly confirmed by Mercor. The TechCrunch report fixes a date, a cause, and a first response on the record. ### Additional context The TechCrunch article remains the primary-media anchor point for the timeline. Anything that predates it is either rumor, a leaked sample, or internal to Mercor. ### Source material Source: TechCrunch, “Mercor says it was hit by cyberattack tied to compromise of open source LiteLLM project,” March 31, 2026. ### Further reading - [Read the TechCrunch story](https://techcrunch.com/2026/03/31/mercor-says-it-was-hit-by-cyberattack-tied-to-compromise-of-open-source-litellm-project/) ## The incident is linked to a compromise of the LiteLLM project **Badge:** Update 03 **Date:** April 03, 2026 Public reporting ties the Mercor incident to a compromise of LiteLLM — a widely used open-source project that brokers calls between applications and large-language-model providers. The link matters because it reframes the breach as a supply-chain event, not an isolated Mercor-only failure. ### What the record shows - LiteLLM is an open-source proxy/library used to route requests between applications and LLM providers. - Public reporting says the Mercor incident is tied to the compromise of LiteLLM. - Mercor's own notice describes the event as one that affected its systems alongside many other organizations worldwide. - Because the compromise is upstream, other organizations that depend on LiteLLM may be affected by the same root event. ### Why this matters A supply-chain compromise is qualitatively different from a direct breach. It widens the question from “what did Mercor do” to “what did everything downstream of LiteLLM do.” ### Additional context LiteLLM is used by a large number of AI companies as infrastructure glue. A compromise of its software supply chain can ripple outward into any organization that depends on it. ### Source material Source: TechCrunch reporting, March 31, 2026; corroborated by Mercor's own description of the event as affecting its systems “alongside many other organizations worldwide.” ## A sample of allegedly stolen data was shown publicly **Badge:** Update 04 **Date:** April 03, 2026 According to TechCrunch, a sample of data purportedly stolen from Mercor included references to internal Slack data and what appeared to be ticketing data. The same report says the sample also included two videos purportedly showing conversations between Mercor's AI systems and contractors on the platform. ### What the record shows - The preview referenced Slack data — i.e., internal workplace-chat content. - The preview also referenced what appeared to be ticketing data — i.e., internal support or workflow tickets. - Two short videos were shown, purportedly recording conversations between Mercor's AI systems and platform contractors. - No independent verification of the sample's authenticity has been published. ### Why this matters If authentic, the sample suggests the incident reached beyond public-facing records into internal communications and platform-recorded sessions with contractors. ### Additional context Claims made by a threat actor are not, on their own, proof of what was taken. The sample gives a sense of the categories being advertised; the full scope remains unconfirmed. ### Source material Source: TechCrunch, March 31, 2026. The sample has been described by the outlet but has not been independently authenticated by MercorClaims. ## What Mercor's own policies say it collects **Badge:** Update 05 **Date:** April 10, 2026 Mercor's public privacy policy and its AI-and-data documentation list the categories of information the platform collects. These documents don't say what was taken — but they define the outer envelope of what could plausibly be at risk in an incident affecting Mercor systems. ### What the record shows - The privacy policy lists name, email, phone, resume, work history, skills, and account credentials among the data the platform collects. - It also lists interview recordings and transcripts, profile photos, and salary expectations. - The AI/data documentation adds video or audio interviews, AI transcripts, public profile data, and location and work preferences. - It also notes that, if provided or authorized, payment, tax, or background-check-related information may be held. ### Why this matters People trying to understand their exposure need to know what the platform holds in the first place. Mercor's own documents are the most authoritative answer available today. ### Additional context Scope of exposure is still not confirmed by Mercor. This entry is a reading of Mercor's own public documents and is provided for context, not as a claim about what the incident touched. ### Source material Source: Mercor Privacy & Cookies policy (last updated August 27, 2025); Mercor's “How Mercor Uses AI and Data” documentation. ### Further reading - [Mercor Privacy & Cookies policy](https://www.mercor.com/data-privacy-policy/) - [How Mercor Uses AI and Data](https://talent.docs.mercor.com/policies/data-ai-usage) ## MercorClaims opens the public archive **Badge:** Update 06 **Date:** April 16, 2026 MercorClaims opened its public archive to collect, date, and cite the material surfacing around the Mercor incident. The archive links every entry back to the public source it came from, so visitors can read the record rather than a summary of it. ### What the record shows - The archive covers email notices, press reporting, court filings, and public statements tied to the Mercor incident. - Each entry includes a badge, a date, a summary, and a citation back to the underlying source. - The archive is not a law firm. - New entries are added as new sources become public; older entries are preserved unchanged. ### Why this matters Breach coverage is scattered. A single dated, cited record helps visitors judge what is known — and what is still open. ### Additional context The archive is free and will remain free. It does not collect names, emails, or accounts to read — email updates are opt-in only. ### Source material Source: site launch notice published by MercorClaims editors, April 16, 2026. ## Sitemap See the full [sitemap](/sitemap.md) for all pages.