You can access the original Vercel blog post from here.
The cloud platform Vercel has confirmed that attackers breached its internal systems, affecting a “limited subset” of customers and exposing some non-sensitive environment variables.
In its official disclosure, Vercel said it was investigating the incident with external experts and had informed law enforcement. The company maintained that its core services remain operational and that it has contacted affected users. It urged them to rotate credentials and review their environment variables.
How the breach happened: Attackers compromised Context.ai, a third-party AI tool, to gain access to Vercel. They took over an employee’s Google Workspace account using a compromised OAuth token linked to Context’s AI Office Suite.
This access allowed attackers to move further into Vercel’s systems and view environment variables that the company had not marked as “sensitive.” The company said it protected sensitive variables and found no evidence of unauthorised access.
CEO explains internal escalation: Vercel CEO Guillermo Rauch confirmed the sequence in an X post, stating: “Through a series of maneuvers that escalated from our colleague’s compromised Vercel Google Workspace account, the attacker got further access to Vercel environments.” He added: “We do have a capability, however, to designate environment variables as ‘non-sensitive’. Unfortunately, the attacker got further access through their enumeration.”
Rauch described the attackers as “highly sophisticated” and said the company is focusing on investigation, customer communication, and strengthening security systems.
Hackers claim stolen data, identity remains unclear: The disclosure followed a threat actor posting on a hacking forum claiming to be selling Vercel data, including access keys, source code, and database contents. The actor said they had access to “multiple employee accounts” and internal deployments.
However, the hacker claimed links to the ShinyHunters group, which later denied involvement when cybersecurity outlet BleepingComputer contacted it. The authenticity of the leaked data has not been independently verified.
Reports also indicate that the attacker shared a dataset of around 580 employee records and screenshots of internal dashboards, and claimed to be discussing ransom payments of up to $2 million, though Vercel has not confirmed any such negotiations.
Context AI acknowledges earlier breach: Context.ai said the root incident occurred earlier in its now-deprecated AI Office Suite. Attackers gained unauthorised access to its AWS environment and compromised the OAuth tokens of some users.
The company stated that one such token was used to access Vercel systems. It has since shut down the affected environment and is working with the cybersecurity firm CrowdStrike to assess the full impact. Context.ai added that its enterprise products, which run in customer-controlled environments, are not affected.
What remains unclear: Vercel has not disclosed how many users were affected by the breach and is still investigating whether attackers exfiltrated any additional data. The company has confirmed that attackers did not compromise its open-source projects, including Next.js.
The incident highlights the growing risks of supply-chain attacks, where breaching one service can open access to multiple platforms through linked accounts and integrations.
Read more:
Click Here For The Original Source.
