Mercor Got Hacked. Your Data Was Exposed. Here's What You Can Do

What happened

On March 31, 2026, Mercor, an AI hiring platform that handles sensitive personal data including resumes, work history, and identity documents for contractors and job candidates, disclosed that they were impacted by a supply chain attack through LiteLLM. Customer data was exposed to unauthorized third parties.

Mercor acknowledged the breach publicly and sent emails to affected users stating "your privacy and security are foundational to everything we do," but offered no compensation, no credit monitoring, and no concrete remediation beyond saying they're "investigating."

Hockey meme showing goalie failing to stop a goal, representing a company claiming to take your privacy seriously after a data breach

Why this matters

If you had an account on Mercor, exposed data may include:

Full legal name, email address, phone number
Resume and work history
Identity documents (if onboarded as a contractor)
Interview recordings and assessment data
Payment information

This isn't just an email address getting leaked. Mercor collects deeply personal information as part of their hiring and vetting process. If that data was exposed, the potential for identity theft, fraud, and financial harm is real.

What the law says

Mercor is headquartered in San Francisco. Several California statutes are relevant to data breach situations like this:

California Consumer Privacy Act (CCPA), Civil Code § 1798.150 — Provides consumers with a private right of action when a business fails to implement reasonable security measures and unencrypted personal information is breached. Statutory damages range from $100 to $750 per consumer per incident, or actual damages, whichever is greater.

California Civil Code § 1798.81.5 (Customer Records Act) — Requires businesses to implement and maintain reasonable security procedures appropriate to the nature of the information they hold.

California Civil Code § 1798.82 — Requires timely and adequate breach notification. Delayed or inadequate notice may support additional damages claims.

California Business & Professions Code § 17200 — Prohibits unfair, unlawful, or fraudulent business practices. Failures in data security combined with inadequate response may fall under this statute.

Whether these laws apply to a specific individual's situation depends on the facts of their case.

What sending a demand letter does

A demand letter is a formal written notice informing a company that a legal claim exists and requesting compensation or action. Regardless of where a dispute ultimately ends up, a direct settlement, a class action, or court, the demand letter is the formal first step.

When a demand letter is sent through PettyLawsuit:

The letter is emailed directly to the company's leadership and legal contacts
A physical copy is sent via USPS certified mail, creating a legal paper trail confirming receipt
Follow-up emails and phone calls are made pushing for a response
If no response is received within the stated deadline, documentation is prepared for next steps. For cases that qualify for small claims court, PettyLawsuit handles the filing. We are a certified Electronic Filing Service Provider (EFSP) in most state courts.

What to realistically expect

A data breach demand letter is different from a typical "someone owes me money" dispute. The harm is real but harder to quantify. There's no single invoice or broken product to point to. That's why statutes like the CCPA exist, to establish minimum damages when a company fails to protect personal data.

Skeptical reaction to company claiming your privacy is very important after exposing millions of records

Here's the range of what happens after demand letters go out in situations like this:

Some companies settle directly. Legal teams see demand letters arriving and decide it's more cost-effective to resolve claims individually. Settlements in data breach cases are typically in the hundreds of dollars and may involve an NDA.

A class action gets filed. Attorneys file a broader lawsuit on behalf of affected consumers. Having a documented demand letter with a certified mail receipt strengthens an individual's position in that proceeding. It's proof that you identified yourself as affected and took action.

The company monitors the volume. If enough individuals file claims, the cost-benefit calculation shifts. Each demand letter adds to the collective pressure that can force a company to respond.

Nothing happens immediately. This is also a real possibility. The company may not respond to your letter directly. But the record exists, the certified mail receipt, the documentation, the paper trail, and that record has value if the situation develops further through a class action, regulatory action, or future settlement.

Why bother if they might not respond right away?

Three reasons:

It creates a legal record. For anyone who later needs to prove they were affected, for a class action, regulatory complaint, credit monitoring claim, or identity theft insurance, a certified demand letter on file is strong documentation. It's timestamped proof that you identified the harm and took formal action.

It's how accountability happens. Companies invest in data security when breaches have consequences. Individual claims change that math. When the cost of a breach includes hundreds of demand letters, companies take prevention more seriously.

It's $49. Most people spend more on a dinner out. For $49, the result is a professional legal document, certified delivery, follow-up communication, and a documented record of your claim. The downside is minimal. The potential upside is real.

What PettyLawsuit does not do

We do not represent anyone in court or in legal proceedings. We are not a law firm.
We do not guarantee any outcome. No one can guarantee that a company will pay or respond.
We do not provide legal advice about whether any specific claim is strong or viable. Anyone needing that guidance should consult a licensed attorney.
We do not file class action lawsuits at the moment. If a class action is filed separately by attorneys, demand letter documentation may support individual claims within that proceeding.

Clown makeup meme about trying to handle legal paperwork yourself and getting case dismissed over a missing comma

The bottom line

Mercor collected sensitive personal data, resumes, identity documents, interview recordings, and that data was exposed. Their response offered no compensation and no concrete remediation.

Doing nothing is always an option. The alternative is spending 10 minutes and $49 to formally document the claim, put the company on legal notice via certified mail, and create a record that can be used in whatever comes next, whether that's a direct settlement, a class action, or simply having proof on file that you took action.

Start your claim →

PettyLawsuit is an agentic legal action platform that gives consumers and small businesses the ability to take formal legal action, without hiring a lawyer. From certified demand notices and follow-up calls to court filing, the platform handles the entire process across all 50 states. We are not a law firm. This post is for general informational purposes only and does not constitute legal advice. Every situation is different. If you need advice about your specific circumstances, consult a licensed attorney in your state.