- Meta has indefinitely paused all work with data contracting firm Mercor following a major security breach confirmed on March 31, 2026.
- Mercor supplies proprietary training datasets to OpenAI, Anthropic, Meta, and other AI labs using networks of human contractors.
- The breach potentially exposed details about how major AI labs train their models, information considered highly sensitive competitive intelligence.
- OpenAI has not paused its work with Mercor but is investigating how its proprietary training data may have been exposed.
What Happened
Meta has indefinitely suspended all engagements with Mercor, one of the AI industry’s most important data contracting firms, following a security breach that the startup confirmed to its staff on March 31, 2026. Two sources confirmed the pause to WIRED, describing the suspension as indefinite. Other major AI laboratories are also reevaluating their relationships with Mercor as they assess the full scope of the incident, according to people familiar with the matter.
Mercor confirmed the attack in an internal email to staff: “There was an unauthorized access to certain internal systems.” The company hires massive networks of human contractors to generate bespoke, proprietary datasets for AI labs, making it a critical node in the supply chain for the training data that powers products like ChatGPT and Claude Code.
Why It Matters
The breach strikes at one of the most competitively sensitive aspects of the AI industry: the proprietary training data that differentiates one company’s models from another’s. AI labs guard these datasets and their associated methodologies closely because they can reveal to competitors, including Chinese AI companies, key details about how models are trained, fine-tuned, and optimized for specific tasks. The exposed data could theoretically provide insight into how companies like OpenAI, Anthropic, and Meta construct the customized datasets that give their models distinctive capabilities and behaviors.
The incident also highlights structural security risks in the AI industry’s reliance on third-party data vendors. Mercor is one of only a few firms operating at the scale required by major AI labs, which need thousands of human annotators to generate supervised fine-tuning data and reinforcement learning from human feedback (RLHF) datasets. This vendor concentration creates situations where a single security failure can simultaneously compromise sensitive data from multiple competing organizations.
Technical Details
Mercor’s role in the AI ecosystem involves recruiting and managing large networks of human contractors who generate training data tailored to each client lab’s specifications. This data is used for supervised fine-tuning, RLHF, and evaluation, all processes that are critical to making large language models useful, accurate, and safe. The specificity of these datasets, including the types of tasks assigned, quality criteria applied, evaluation rubrics used, and the characteristics of the model responses that are rewarded or penalized, constitutes core intellectual property for each AI lab.
An OpenAI spokesperson confirmed to WIRED that the company is actively investigating the incident to determine how its proprietary training data may have been affected, while emphasizing that the breach “in no way affects OpenAI user data.” Anthropic did not respond to WIRED’s request for comment. The full scope of what data was accessed during the unauthorized intrusion remains under active investigation by Mercor and its affected clients.
The breach’s potential competitive impact depends heavily on what specific data categories were compromised. If the exposed information included detailed task specifications, annotation guidelines, model evaluation criteria, or annotated training examples with quality scores, it could provide competitors with actionable intelligence about training approaches that would otherwise take months or years to reverse-engineer.
Who’s Affected
Meta, OpenAI, Anthropic, and other AI labs that contract with Mercor face potential exposure of proprietary training methodologies and dataset specifications. Mercor’s extensive network of human contractors may also face personal data exposure, though the extent of individual-level data compromise has not been publicly disclosed. The broader AI industry confronts uncomfortable questions about supply chain security, as the incident demonstrates that a single vendor breach can simultaneously affect multiple competing companies that depend on the same data infrastructure.
What’s Next
Meta’s pause with Mercor is indefinite, and other AI labs may follow with similar suspensions depending on investigation findings. Mercor will need to demonstrate materially improved security practices, likely including third-party security audits and enhanced access controls, to retain its position as a trusted vendor to the AI industry. The incident may accelerate efforts by major AI labs to bring more data generation and annotation work in-house or to diversify their vendor relationships to reduce single points of failure in their training data supply chains.
