Vercel confirms breach as hackers claim to be selling stolen data

Vercel Breach: Unauthorized Access and Claims of Stolen Data

1) Incident Overview

• Date of disclosure: April 19, 2026. Update notes added later that day.
• Vercel, a cloud development platform known for hosting, deployment infrastructure, and services such as serverless functions, edge computing, and CI/CD pipelines, reported a security incident involving unauthorized access to certain internal systems.
• A threat actor (or actors) claimed to be selling access to Vercel data. The forum post and subsequent reporting describe stolen data and internal deployment access keys.
• Vercel stated that its core services were not disrupted and that it is actively investigating with incident response experts and law enforcement.
• Later updates clarified that the breach originated from a compromised third-party AI tool’s Google Workspace OAuth application, rather than a direct breach of Vercel’s own systems alone.

2) Company Profile and Services (Context)

• Vercel is widely known for developing Next.js, a popular React framework.
• The platform provides features including serverless functions, edge computing, and CI/CD pipelines designed to help developers build, preview, and deploy applications.
• Vercel emphasized defense-in-depth measures to protect core systems and customer data, including encryption at rest for customer environment variables and various controls to limit exposure.

3) How the Breach Unfolded

• Initial access: An employee Google Workspace account associated with Vercel was compromised via a breach at an AI platform (Context.ai).
• Escalation: The attacker reportedly moved from the compromised Google Workspace account into Vercel environments, accessing environment variables that were not marked as sensitive and therefore not encrypted at rest.
• After this discovery, the attacker allegedly enumerated environment variables, gaining further access beyond what was intended to be non-sensitive data.
• Vercel stated that all customer environment variables are stored fully encrypted at rest, and that there are multiple defense-in-depth mechanisms to protect core systems and data. The breach, however, involved a step where non-sensitive variables were enumerated, enabling broader access.

4) Affected Services and Customer Impact

• Vercel asserted that its services themselves were not impacted and that the incident did not disrupt customer-facing operations.
• Impact appeared to be concentrated on internal access and the exposure of certain environment variables and related data, rather than a widespread service outage.
• The company advised impacted customers to review their environment variables and to rotate or protect sensitive data as a precaution.

5) Data and Artifacts Allegedly Exposed

• The attacker claimed to provide access keys, source code, and database data allegedly stolen from Vercel, along with access to internal deployments and API keys (including some NPM tokens and GitHub tokens).
• A text file containing Vercel employee information was shared, described as including 580 data records with names, Vercel email addresses, account statuses, and activity timestamps.
• Screenshots were circulated purportedly showing an internal Vercel Enterprise dashboard, though independent verification of authenticity was not established at the time of reporting.
• In communications, the attacker claimed a ransom demand of $2 million was involved, and there were mentions of contact with Vercel regarding the incident.

6) Investigation Status and Company Communications

• Vercel published a security bulletin indicating an ongoing investigation and the involvement of incident response professionals, with coordination with law enforcement.
• The advisory noted that a limited subset of customers was affected and that Vercel was implementing protections to safeguard customers, including guidance around environment variables and the use of its features for sensitive variables.
• CEO statements later confirmed that the initial access came through the compromised Google Workspace account and that the attacker leveraged non-sensitive environment variables before attempting further access. Vercel asserted that sensitive variables remained encrypted and that the platform maintains strong defensive controls.

7) Security Posture, Updates, and Tools

• Vercel rolled out dashboard updates, including:
• An overview page of environment variables.
• An enhanced interface for managing sensitive environment variables.
• The company emphasized enabling the sensitive variable feature to ensure that these values are encrypted at rest and better protected from compromise.
• Public advisories urged Google Workspace administrators and Google account owners to review specific OAuth applications connected to their accounts, including one identified OAuth App: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com.
• Vercel asserted that while there is a capability to mark certain environment variables as non-sensitive, the attacker’s actions demonstrated how enumeration could still yield additional access.

8) Hacker Claims and Industry Context

• The breach was followed by a claim from a threat actor group (identified as “ShinyHunters” in some communications) about selling access to Vercel data on a hacking forum.
• Some actors linked to the ShinyHunters extortion operations denied involvement in this particular incident when contacted by reporters.
• The forum post described access to employee accounts, internal deployments, API keys, and various tokens. A Telegram share and related images circulated as part of the claim.
• BleepingComputer noted that it could not independently verify the authenticity of the data or screenshots, and stated that negotiations or ransom attempts were alleged but not confirmed.

9) Additional Updates and References

• Update 6:14 PM ET on April 19, 2026 added information disclosed by Vercel after the initial publication.
• Update 7:21 PM ET on April 19, 2026 added further details from Vercel’s CEO about the nature of the initial access and the role of contextual variables in the breach.
• The incident remains under investigation, with ongoing efforts to determine the full scope, confirm data exposure, and assess any downstream impact on customers and third-party integrations.

10) Related Context and Ongoing Coverage

• The breach at Vercel sits alongside other data-security incidents involving large tech platforms and AI tooling ecosystems, underscoring the risk that compromised third-party authentication and OAuth configurations can introduce into cloud service environments.
• Coverage highlights that third-party tools and integrations—especially those connected to identity systems like Google Workspace—can become adversary footholds if credentials or tokens are compromised.
• The broader ecosystem continues to monitor for any downstream exposure or attempts to leverage compromised credentials in connected deployments, with continued emphasis on encryption at rest, proper classification of sensitive data, and robust access controls.