Mercor breach claims: What happened with the AI recruiting platform data leak

Mercor, an AI recruiting platform valued at around $10 billion, has acknowledged a data breach following claims made by the hacking group Lapsus$. The company stated that it is investigating the incident with the help of third-party cybersecurity experts and has taken steps to contain the breach.

Lapsus$ has alleged that it accessed approximately 4 terabytes of data from Mercor, including source code, user databases, video interviews, and identity verification documents. The group reportedly attempted to auction the stolen data on the dark web.

Mercor has not confirmed the full extent of the alleged data theft, including whether sensitive contractor identity documents were compromised.

Supply chain attack linked to LiteLLM

The breach is believed to be connected to a broader supply chain attack involving a compromised version of the open-source library LiteLLM. Malicious versions of the software were briefly made available through the PyPI repository after a maintainer’s credentials were compromised.

These compromised versions reportedly included embedded backdoors capable of harvesting credentials and enabling persistent access. Because LiteLLM is widely used in AI infrastructure, systems configured to automatically update packages may have inadvertently installed the malicious code.

The incident is described as part of a supply chain attack affecting multiple organisations globally. Security researchers estimate that thousands of systems may have downloaded the compromised package during the short window it was available.

Reports indicate that the attack may have impacted a wide range of companies beyond Mercor, with ongoing investigations suggesting a broader pattern of compromise across SaaS and AI environments.

Data reportedly involved

According to claims made by Lapsus$, the stolen dataset includes large volumes of sensitive material such as:

• Platform source code
• User databases
• Video interview recordings
• Identity verification documents

The alleged inclusion of identity verification data raises concerns for contractors who use the platform, as Mercor requires users to submit personal identification for onboarding.

Company response

Mercor has stated that it is working to assess the incident and mitigate its impact. The company has indicated that operations remain largely unaffected while investigations continue. It has not publicly confirmed the authenticity of the hackers’ claims regarding the volume or nature of the data accessed.

The incident highlights risks associated with supply chain attacks, where widely used software components are compromised to infiltrate multiple organisations at once. Given the reliance of AI companies on shared libraries and tools, such attacks can have cascading effects across the industry.

The investigation is ongoing, and the full scope of the breach, including the number of affected users and organisations, has not yet been confirmed.