Vercel breach linked to third-party tool as hackers claim data theft

Cloud development platform Vercel has confirmed it suffered a security breach, after a threat actor claimed to be selling access to allegedly stolen company data.

The firm said the incident involved "unauthorised access to certain internal Vercel systems" and affected a "limited subset of customers".

It added that it is working with cybersecurity specialists, including Mandiant, and has notified law enforcement.

The company stressed that its core services remain operational and that there is no evidence of widespread compromise.

Vercel created and maintains Next.js, a web development framework for React that adds server-side rendering, routing and optimisation to React applications. It is widely adopted - about two-thirds of Javascript developers use Next.js, as well as companies like Uber, Netflix and TikTok.

Customers believed to be affected have been contacted and advised to rotate credentials.

"If you have not been contacted, we do not have reason to believe that your Vercel credentials or personal data have been compromised at this time," the company said.

According to Vercel, the breach originated from a compromised Google Workspace account linked to a third-party AI tool, Context.ai.

Chief executive Guillermo Rauch wrote on X that the attacker gained initial access via this account before escalating access into Vercel internal systems.

The intruder was then able to access certain environment variables that had not been marked as "sensitive," meaning they were not encrypted at rest.

These variables were intended to contain non-sensitive data, but the attacker used them to gain deeper access to Vercel's systems.

Vercel described the attacker as "sophisticated," citing their speed and apparent familiarity with the company's infrastructure.

The firm said its open-source projects, including Next.js and Turbopack, were not affected.

The disclosure follows claims by a single hacker using the name "ShinyHunters" on an online forum, alleging they had breached Vercel and were selling stolen data.

The individual claimed to possess access keys, source code, database information and internal deployment systems.

"This is just from Linear as proof, but the access I'm about to give you includes multiple employee accounts with access to several internal deployments [and] API keys (including some NPM tokens and some GitHub tokens)," reads the forum post, according to BleepingComputer.

A sample dataset shared online included details of 580 Vercel employee accounts, such as names, email addresses and activity records.

Screenshots said to show internal dashboards were also circulated.

In separate messages, the attacker claimed to have discussed a ransom demand of $2m with the company.

The authenticity of the leaked data has not been verified, and the group known as ShinyHunters has reportedly denied involvement in this incident.

Vercel has urged users to take precautionary steps, including reviewing activity logs, rotating environment variables and ensuring sensitive data is properly encrypted.

It has also introduced updates to its dashboard to improve visibility and management of environment variables.

"My advice to everyone is to follow the best practices of security response: secret rotation, monitoring access to your Vercel environments and linked services and ensuring the proper use of the sensitive env variables feature," Rauch said.

"It's my mission to turn this attack into the most formidable security response imaginable," he added.

Vercel says it continues to investigate the full scope of the breach and will provide updates as more information becomes available.