Synopsis
Cloud development platform Vercel confirmed a security breach after an employee's Google Workspace account was compromised via a third-party AI vulnerability. Attackers gained unauthorized access to internal systems, targeting non-sensitive environment variables. The data, including source code and API keys, is reportedly being sold for $2 million.Listen to this article in summarized format
“We’ve identified a security incident that involved unauthorized access to certain internal Vercel systems. We are actively investigating, and we have engaged incident response experts to help investigate and remediate. We have notified law enforcement,” the company wrote in a blogpost.
What was the data breach about?
The data breach occurred after a employee’s Google Workspace account was compromised via a vulnerability at the third-party AI platform Context.ai.
Vercel CEO Guillermo Rauch confirmed that hackers exploited this foothold to infiltrate internal systems with “surprising speed”, suggesting the attackers likely used AI-driven tools to navigate the company's infrastructure and identify technical vulnerabilities.
The intruders specifically targeted environment variables, focusing on those marked as ‘non-sensitive,’ a convenience feature now undergoing a rigorous security review.
Although Vercel emphasises that sensitive data remained encrypted at rest and that the impact was limited to a small number of customers, the fallout has escalated into a high-stakes extortion attempt.
The threat actor, identified by some as the group ShinyHunters, listed Vercel's data for sale on BreachForums for $2 million. The hackers claim to have exfiltrated source code, internal databases, and API keys.
“Vercel stores all customer environment variables fully encrypted at rest. We have numerous defense-in-depth mechanisms to protect core systems and customer data. We do have a capability however to designate environment variables as “non-sensitive”. Unfortunately, the attacker got further access through their enumeration,” CEO Rauch wrote in a post on X.
Per The Information, last September, Vercel raised $300 million at a $9.3 billion valuation.
How is Vercel currently tackling the breach?
The company is prioritising investigation, customer communication, tightening security, and cleaning affected systems.
Vercel has confirmed that core tools and projects such as Next.js and Turbopack remain secure and uncompromised.
Vercel has partnered with Google’s Mandiant team and law enforcement to investigate the full scope of the breach.
The company has already begun rolling out new safeguards, specifically enhancing the visibility and control of environment variables within its dashboard.
Rauch has committed to transforming this incident into a catalyst for the 'strongest security response possible' for the platform.
“At the moment, we believe the number of customers with security impact to be quite limited. All of our focus right now is on investigation, communication to customers, enhancement of security measures, and sanitisation of our environments. We’ve deployed extensive protection measures and monitoring,” Rauch added in his post.
Further, Vercel has directly contacted affected individuals, advising them to immediately change their sensitive credentials, such as passwords and API keys, and monitor access logs to check if attackers have already accessed these keys and prevent further unauthorised activity.
