Mercor Hit by Lawsuits, Client Suspensions After LiteLLM Data Breach
Mercor faces lawsuits and client suspensions following a March data breach linked to LiteLLM.
Why it matters: Vendor vulnerabilities now trigger rapid legal and business consequences, including litigation and high-profile client disruptions. Legal teams must reassess contractual liability, incident response protocols, and oversight of third-party code.
- Mercor disclosed a LiteLLM-linked data breach on March 25, 2026, affecting client data.
- Meta suspended work with Mercor following the breach; OpenAI continues to review its own exposure.
- A class action lawsuit was filed in U.S. federal court alleging Mercor failed to protect 40,000 individuals' data, according to ClaimDepot.
- Reports in Fortune and Cybernews confirm major client impacts and ongoing probes, but lawsuit details are not independently verified by major outlets.
Mercor, an AI data provider valued at $10 billion, is under legal and commercial fire after a March 2026 data breach traced to tampered LiteLLM open-source code. The breach has brought immediate lawsuits and triggered suspensions from high-profile clients.
- On March 25, 2026, Mercor confirmed attackers accessed data through modified LiteLLM connectors—a popular open-source tool linking apps to AI models.
- Fortune reports the breach may have exposed sensitive data from clients including OpenAI, Anthropic, and Meta. Lapsus$ claimed responsibility, alleging theft of up to 4TB of information.
- Following the incident, Meta suspended all collaboration with Mercor. OpenAI continues to investigate its exposure but remains a Mercor client as of April 2026.
- A class action lawsuit was filed in federal court in California on March 28, alleging lapses in data protection affected 40,000 people (ClaimDepot). However, major news organizations have not independently confirmed lawsuit specifics.
Mercor spokesperson Heidi Hagberg emphasized, “The privacy and security of our customers and contractors is foundational,” adding that Mercor is coordinating with all affected organizations.
This breach clarifies the cascading effect a compromise in a widely used open-source component can have, rapidly escalating from technical incident to contractual and regulatory risk. Supply chain attacks—where attackers target third-party software—can expose organizations to both lost business and litigation. Legal professionals should proactively map software dependencies and ensure contracts include robust data security language, as well as clearly defined breach notification and mitigation responsibilities.
Given the pace and scale of client fallout, monitoring updates from directly impacted organizations remains essential for risk assessment.
By the numbers:
- $10 billion — Mercor's reported market valuation in 2026 (Fortune)
- 40,000 — Individuals allegedly affected by breach, per ClaimDepot court filing
- 4TB — Amount of data Lapsus$ claims to have stolen from Mercor
Yes, but: No major news outlets have independently confirmed all details of the class action lawsuit or the full extent of data exfiltrated.
What's next: OpenAI's ongoing investigation and further reporting from major clients or regulatory agencies could clarify longer-term legal exposure.