InvestMarketplaceEquityNews
Vercel Traces Customer Data Theft to Agentic AI Tool Breach
Company Updates

Vercel Traces Customer Data Theft to Agentic AI Tool Breach

DataBreachToday3d ago

Attacker First Compromised AI Tool Used by Vercel Employee, Platform Provider Finds

Cloud platform provider Vercel said an attacker stole customer data after compromising a third-party agentic artificial intelligence tool used by an employee.

See Also: AI Impersonation Is the New Arms Race-Is Your Workforce Ready?

San Francisco-based Vercel runs the widely used frontend cloud platform React, a JavaScript library used to build web applications. The company also created and maintains the popular Next.js framework for React, which provides full stack development - referring to both backend and frontend components.

"We've identified a security incident that involved unauthorized access to certain internal Vercel systems," the company first warned customers on Sunday.

The company said that it's brought in outside cybersecurity firms to help investigate, including Google's Mandiant incident response group.

The company said the incident began with a compromise of Context.ai, a third-party AI tool used by a Vercel employee. "The attacker used that access to take over the employee's Vercel Google Workspace account, which enabled them to gain access to some Vercel environments and environment variables that were not marked as 'sensitive.'"

Vercel said it's notifying affected customers, which it said amounts to a "quite limited" number. "We've reached out with utmost priority to the ones we have concerns about," said Vercel CEO Guillermo Rauch in a Sunday post to social platform X.

The company said all stored sensitive data is fully encrypted and doesn't appear to have been exposed. Data customers typically designate as "sensitive" include everything from API keys and tokens to database credentials and signing keys.

Vercel recommends all customers review the Vercel activity log for suspicious activity, as well as review environment variables. Any not marked as being sensitive "should be treated as potentially exposed and rotated as a priority," it said.

"If your organization relies on their infrastructure, I strongly recommend you start looking into this immediately," said Austin Larsen, principal threat analyst for Google Threat Intelligence Group, in a Sunday post to LinkedIn.

Who perpetrated the attack against Vercel and what all they stole remains unclear.

"A group claiming to be ShinyHunters has taken responsibility for this breach. However, it is likely this is an imposter attempting to use an established name to inflate their notoriety," Larsen said (see: Latest BreachForums Reboot Tied to Fake ShinyHunters Admin).

Vercel also recommends customers rotate bypass tokens they've created for testing deployments, as well as "investigate recent deployments for unexpected or suspicious looking deployments" and "delete any deployments in question" if there is any question as to their authenticity. That risk ties to an attacker potentially having backdoored or otherwise altered a customer's software.

Cybersecurity firm Hudson Rock said the purported attacker on Sunday began listing for sale on a cybercrime forum stolen "access key / source code / database" from Vercel.

Hudson Rock said it's found evidence that a Context.ai employee fell victim to Lumma information stealing malware on Feb. 17. The infostealer appeared to harvest valid Context.ai corporate credentials for Google Workspace, Supabase, Datadog and Authkit, as well as for the account, it said.

"The exposure of these developer and administrative tools provided the exact leverage needed to escalate privileges, bypass initial security perimeters and successfully pivot into Vercel's infrastructure," it said.

Vercel published Sunday an indicator of compromise for a malicious app used by the attacker. "We recommend that Google Workspace Administrators and Google Account owners check for usage of this app immediately" in their Google Admin Console's API Controls section, it said.

Context.ai Confirms Breach

Context.ai on Sunday confirmed that it was breached, saying that an attacker gained unauthorized access to its Amazon Web Services environment in March. The company hired CrowdStrike to investigate, said the breach involved a product designed to be run onsite by customers - since deprecated - and appeared to only result in the breach of a single customer's environment.

In the wake of Vercel getting breached and further internal investigation, Context.ai on Sunday revised its conclusions, saying that the attacker "also likely compromised OAuth tokens for some of our consumer users," including one that allowed them "to access Vercel's Google Workspace," by using the OAuth token in what's known as a replay attack, to gain unauthorized access to service.

While Vercel isn't a corporate customer, "it appears at least one Vercel employee signed up for the AI Office Suite using their Vercel enterprise account and granted 'Allow All' permissions," and that "Vercel's internal OAuth configurations appear to ave allowed this action to grant these broad permissions in Vercel's enterprise Google Workspace," Context.ai said.

After being breached in March, and in conjunction with CrowdStrike, Context.ai said it better locked down its primary AWS environment, including implementing better "encryption, segmentation, authentication and monitoring controls."

How many other Context.ai users might also have been breached isn't clear. Vercel said that it could involve "hundreds of users across many organizations."

Originally published by DataBreachToday

Read original source →
Vercel