Vercel: Vercel confirms breach as hackers claim to be selling stolen data

Vercel Discloses Security Breach Amid Hacker Extortion Claims

Vercel, a leading cloud development platform specializing in JavaScript frameworks like Next.js, has confirmed a security incident involving unauthorized access to its internal systems. The breach, disclosed in a security bulletin today, affects a limited subset of customers, though the company states its services remain operational.

Vercel is actively investigating the incident with the help of external incident response experts and has notified law enforcement. While no service disruptions have been reported, the company is advising impacted customers to review environment variables, utilize its sensitive variable feature, and rotate secrets if necessary.

The disclosure follows claims by a threat actor purporting to be part of the ShinyHunters hacking group who posted on a hacking forum offering stolen Vercel data for sale. The attacker alleged possession of access keys, source code, database records, and internal deployment credentials, including NPM and GitHub tokens. A sample shared as proof contained 580 employee records with names, Vercel email addresses, account statuses, and activity timestamps, alongside a screenshot of an internal enterprise dashboard.

Notably, established members of the ShinyHunters extortion gang have denied involvement in the attack. The threat actor also claimed to have demanded a $2 million ransom from Vercel, though the company has not confirmed whether negotiations are underway. BleepingComputer has not independently verified the authenticity of the leaked data.

Vercel continues to assess the scope of the breach and has not disclosed whether sensitive customer data or credentials were exposed. Further updates are expected as the investigation progresses.

Source: https://www.bleepingcomputer.com/news/security/vercel-confirms-breach-as-hackers-claim-to-be-selling-stolen-data/

Vercel cybersecurity rating report: https://www.rankiteo.com/company/vercel

"id": "VER1776623025",
"linkid": "vercel",
"type": "Breach",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': 'Limited subset',
                        'industry': 'Technology',
                        'name': 'Vercel',
                        'type': 'Cloud Development Platform'}],
 'customer_advisories': 'Review environment variables, utilize sensitive '
                        'variable feature, rotate secrets if necessary',
 'data_breach': {'data_exfiltration': True,
                 'number_of_records_exposed': '580 employee records',
                 'personally_identifiable_information': 'Names, Vercel email '
                                                        'addresses, account '
                                                        'statuses, activity '
                                                        'timestamps',
                 'sensitivity_of_data': 'High (NPM and GitHub tokens, internal '
                                        'enterprise dashboard access)',
                 'type_of_data_compromised': ['Access keys',
                                              'Source code',
                                              'Database records',
                                              'Internal deployment credentials',
                                              'Employee records']},
 'description': 'Vercel, a leading cloud development platform specializing in '
                'JavaScript frameworks like Next.js, confirmed a security '
                'incident involving unauthorized access to its internal '
                'systems. The breach affects a limited subset of customers, '
                'and the company states its services remain operational. The '
                'disclosure follows claims by a threat actor purporting to be '
                'part of the ShinyHunters hacking group who posted stolen '
                'Vercel data for sale, including access keys, source code, '
                'database records, and internal deployment credentials.',
 'impact': {'data_compromised': 'Access keys, source code, database records, '
                                'internal deployment credentials (NPM and '
                                'GitHub tokens), employee records (names, '
                                'Vercel email addresses, account statuses, '
                                'activity timestamps)',
            'operational_impact': 'Limited subset of customers affected; '
                                  'services remain operational',
            'systems_affected': 'Internal systems'},
 'initial_access_broker': {'data_sold_on_dark_web': True},
 'investigation_status': 'Ongoing',
 'motivation': 'Extortion',
 'ransomware': {'data_exfiltration': True, 'ransom_demanded': '$2 million'},
 'recommendations': 'Review environment variables, utilize sensitive variable '
                    'feature, rotate secrets if necessary',
 'references': [{'source': 'Vercel Security Bulletin'},
                {'source': 'BleepingComputer'}],
 'response': {'communication_strategy': 'Security bulletin, customer '
                                        'advisories',
              'incident_response_plan_activated': True,
              'law_enforcement_notified': True,
              'remediation_measures': 'Advising impacted customers to review '
                                      'environment variables, utilize '
                                      'sensitive variable feature, and rotate '
                                      'secrets',
              'third_party_assistance': 'External incident response experts'},
 'threat_actor': 'ShinyHunters (alleged)',
 'title': 'Vercel Security Breach Amid Hacker Extortion Claims',
 'type': 'Data Breach'}