Vercel Breach Exposes Customer Credentials via Third-Party AI Tool
Cloud hosting platform Vercel recently disclosed a security breach stemming from a compromised third-party AI tool. The incident, which occurred after an employee connected a Google Workspace OAuth app developed by Context AI to their corporate account, allowed threat actors to access internal systems.
Vercel confirmed that a "limited subset of customers" had credentials exposed, though the company stated that those not contacted were unaffected. The breach did not impact Vercel’s popular open-source projects, including Next.js and Turbopack, but the hacker claiming responsibility under the alias "ShinyHunters" allegedly gained access to employee accounts, API keys (including NPM and GitHub tokens), and source code. The stolen data is reportedly being sold on hacking forums.
The attack highlights the growing risk of supply chain compromises targeting developer tools and third-party integrations. Vercel has since implemented additional security measures and monitoring to mitigate further exposure. While the company has not verified all of the hacker’s claims, the incident underscores the increasing sophistication of attacks leveraging OAuth-based applications.
Source: https://tech.co/news/app-host-vercel-hack-ai-tool
Vercel cybersecurity rating report: https://www.rankiteo.com/company/vercel
"id": "VER1776772360",
"linkid": "vercel",
"type": "Breach",
"date": "1/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Limited subset of customers',
'industry': 'Cloud hosting, Web development',
'name': 'Vercel',
'type': 'Company'}],
'attack_vector': 'Third-party AI tool (Google Workspace OAuth app)',
'customer_advisories': 'Affected customers were contacted; others were '
'assured they were unaffected.',
'data_breach': {'data_exfiltration': 'Yes (data reportedly sold on hacking '
'forums)',
'personally_identifiable_information': 'Customer credentials',
'sensitivity_of_data': 'High (API keys, source code, '
'credentials)',
'type_of_data_compromised': ['Customer credentials',
'Employee accounts',
'API keys',
'Source code']},
'description': 'Cloud hosting platform Vercel recently disclosed a security '
'breach stemming from a compromised third-party AI tool. The '
'incident occurred after an employee connected a Google '
'Workspace OAuth app developed by Context AI to their '
'corporate account, allowing threat actors to access internal '
"systems. A 'limited subset of customers' had credentials "
"exposed, and the hacker 'ShinyHunters' allegedly gained "
'access to employee accounts, API keys (including NPM and '
'GitHub tokens), and source code. The stolen data is '
'reportedly being sold on hacking forums.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'breach disclosure',
'data_compromised': 'Customer credentials, employee accounts, API '
'keys (NPM, GitHub tokens), source code',
'identity_theft_risk': 'High (exposed credentials and PII)',
'systems_affected': 'Internal systems, third-party OAuth app'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes',
'entry_point': 'Compromised third-party AI tool '
'(Google Workspace OAuth app)',
'high_value_targets': ['API keys',
'Source code',
'Employee accounts']},
'lessons_learned': 'Growing risk of supply chain compromises targeting '
'developer tools and third-party integrations; need for '
'stricter OAuth app vetting and monitoring.',
'motivation': 'Financial gain (data sold on hacking forums)',
'post_incident_analysis': {'corrective_actions': 'Additional security '
'measures, enhanced '
'monitoring, stricter '
'third-party integration '
'policies',
'root_causes': 'Compromised third-party OAuth app '
'integration, insufficient vetting '
'of third-party tools'},
'recommendations': 'Implement stricter third-party integration policies, '
'enhance OAuth app security reviews, and improve '
'monitoring for unauthorized access.',
'references': [{'source': 'Vercel Disclosure'}],
'response': {'communication_strategy': 'Public disclosure of breach',
'containment_measures': 'Additional security measures and '
'monitoring implemented',
'enhanced_monitoring': 'Yes'},
'threat_actor': 'ShinyHunters',
'title': 'Vercel Breach Exposes Customer Credentials via Third-Party AI Tool',
'type': 'Data Breach',
'vulnerability_exploited': 'Compromised third-party OAuth integration'}