Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical GhostApproval Flaw in Amazon Q, Claude, Cursor Exposes AI Agents
July 9, 2026
Palo Alto Networks Patches Critical PAN-OS Vulnerability CVE-2024-3400 for RCE
July 9, 2026
Accenture Confirms Data Breach, Stolen Source Code
July 9, 2026
Home/CyberSecurity News/Vercel Confirms Data Breach, Attackers Claim Internal System Access
CyberSecurity News

Vercel Confirms Data Breach, Attackers Claim Internal System Access

Key Takeaways Frontend cloud platform Vercel has confirmed a security breach impacting its internal systems. The attack originated from a compromised third-party AI tool, Context.ai, used by a Vercel...

David kimber
David kimber
April 20, 2026 4 Min Read
33 0

Key Takeaways

  • Frontend cloud platform Vercel has confirmed a security breach impacting its internal systems.
  • The attack originated from a compromised third-party AI tool, Context.ai, used by a Vercel employee.
  • Threat actors gained access to non-sensitive environment variables from a limited number of customer configurations.
  • The notorious ShinyHunters group claims responsibility, offering stolen data for $2 million.
  • Vercel urges customers to rotate non-sensitive API keys and tokens and Google Workspace administrators to check for a specific malicious OAuth app.

Vercel, a leading frontend cloud platform, has officially confirmed a security incident where unauthorized actors infiltrated its internal infrastructure. This revelation follows claims from the notorious ShinyHunters hacking collective, which allegedly attempted to sell stolen Vercel data for $2 million on dark web forums.

Table Of Content

  • Key Takeaways
  • Attack Vector and Impact
  • ShinyHunters Claims $2 Million Data Sale
  • CEO Characterizes Attackers as “Highly Sophisticated”
  • What You Should Do

The company, which underpins millions of developer deployments, issued a security bulletin between April 18 and 19, 2026, acknowledging the breach. Vercel stated it is actively collaborating with cybersecurity firm Mandiant to investigate the scope of the compromise and has alerted law enforcement authorities.

Attack Vector and Impact

The intrusion originated from a compromise involving Context.ai, an AI tool utilized by a Vercel employee. Attackers exploited a malicious or compromised Google Workspace OAuth application linked to Context.ai to gain unauthorized access to the employee’s Google Workspace account.

Once inside, the threat actors successfully navigated to specific Vercel environments, where they accessed and read non-sensitive environment variables from a restricted set of customer configurations. Vercel has clarified that environment variables explicitly designated as “sensitive,” which are stored using enhanced security measures preventing their direct readability, showed no evidence of compromise.

However, any variables not marked as sensitive, which could include critical information such as API keys, tokens, database credentials, or signing keys, should be considered potentially exposed. Vercel strongly advises immediate rotation of such credentials.

The compromised OAuth application has been identified as a critical indicator of compromise (IOC): 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com. Vercel is urging all Google Workspace administrators to conduct an immediate audit of their environments to detect any usage of this specific application.

ShinyHunters Claims $2 Million Data Sale

The incident gained further notoriety when a threat actor, identifying as part of the ShinyHunters group, posted on BreachForums. The post offered what was claimed to be Vercel’s internal database, access keys, source code, employee accounts, API keys, NPM tokens, and GitHub tokens for a price of $2 million.

Vercel Data Breach
Shiny Hunters Claim

As proof of access, the attacker shared a text file allegedly containing 580 Vercel employee records, detailing names, email addresses, account statuses, and activity timestamps. A screenshot purporting to show an internal Vercel Enterprise dashboard was also provided.

Vercel Data Breach
Shiny Hunters Claim

Messages circulated on Telegram by the threat actor also indicated direct communication with Vercel regarding a ransom demand. However, Vercel has not publicly corroborated any such ransom negotiations.

CEO Characterizes Attackers as “Highly Sophisticated”

Vercel CEO Guillermo Rauch described the threat actors as “highly sophisticated,” noting their rapid operational execution and apparent deep understanding of Vercel’s internal architecture. Rauch speculated that artificial intelligence capabilities might have been leveraged by the attackers to expedite their intrusion efforts. He reiterated a strong recommendation for all customers to rotate API keys and tokens as a preventative measure.

Vercel has confirmed that its Next.js framework and the broader supply chain remain unaffected by this incident. All services are currently fully operational, and the company has implemented extensive new protection and monitoring protocols.

Customers who have not received direct notification from Vercel currently show no evidence of compromised credentials or personal data, though the investigation is ongoing.

What You Should Do

  • Review activity logs within your Vercel dashboard or CLI for any unusual or suspicious behavior.
  • Immediately rotate all environment variables containing secrets that were not explicitly marked as sensitive.
  • Enable the sensitive environment variables feature for all future secrets to enhance their protection.
  • Inspect recent deployments for any unexpected or unauthorized changes.
  • Ensure Deployment Protection is configured to Standard or a higher level.
  • Rotate Deployment Protection bypass tokens if they were previously configured.
  • Google Workspace administrators must audit their environments immediately for the identified malicious OAuth app IOC: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com.

Vercel is providing ongoing updates via its official security bulletin as the investigation progresses.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachCybersecurityHackerSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Microsoft Teams Right-Click Paste Bug After Edge Browser Update

Next Post

Flowise Critical RCE Vulnerability CVE-2024-5264 in MCP Adapters

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
PromptSpy Android Malware Leverages Google Gemini for Adaptive Attacks
July 8, 2026
ClickFix Phishing Campaign Targets Mexican Bank Customers With Fake Google Verification
July 8, 2026
Lurking Lizard Malware Creates Proxy Nodes via Fake 7-Zip Installers
July 8, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us