Vercel says some of its customers’ data was stolen prior to its recent hack

```json { "title": "Vercel Data Breach: Second Compromise Found in Expanded Probe", "metaDescription": "Vercel's expanded investigation reveals a second set of customer accounts compromised before its April 2026 breach via Context.ai's OAuth supply chain attack.", "content": "<h2>Vercel Uncovers Pre-Existing Customer Account Compromises After Expanding Breach Investigation</h2>\n\n<p>Vercel, the cloud deployment and hosting platform behind the widely used Next.js framework, has disclosed that its expanded investigation into an April 2026 security breach has surfaced a second, independent wave of customer account compromises — ones that predate the original incident entirely. The company's updated security bulletin, published on vercel.com, reveals that a small number of customer accounts show evidence of prior compromise through social engineering, malware, or other methods unrelated to the Context.ai supply chain attack that triggered the initial breach.</p>\n\n<p>The disclosure adds a new layer of complexity to what was already a sophisticated, multi-stage attack — one that began with a malware infection at a third-party AI tool provider and ultimately resulted in unauthorized access to Vercel's internal systems and non-sensitive customer environment variables.</p>\n\n<h2>What Vercel's Investigation Found: Two Distinct Compromise Paths</h2>\n\n<p>Vercel's initial April 2026 security bulletin confirmed that a limited subset of customers had non-sensitive environment variables stored on Vercel compromised, and those customers were contacted with recommendations to rotate credentials immediately. As the company expanded its investigation, it uncovered two additional findings that went beyond the scope of that initial disclosure.</p>\n\n<p>The first was a small number of additional customer accounts compromised as part of the April 2026 incident itself. The second — and more significant for the broader picture — was a separate set of customer accounts showing signs of compromise that predated and were independent of the April incident.</p>\n\n<p>In its official security bulletin, Vercel stated: <strong>"We have uncovered a small number of customer accounts with evidence of prior compromise that is independent of and predates this incident, potentially as a result of social engineering, malware, or other methods."</strong></p>\n\n<p>Vercel confirmed that environment variables marked as 'sensitive' are stored in an encrypted manner that prevents them from being read, and that there is no evidence the attacker accessed those values. The company also confirmed, in collaboration with GitHub, Microsoft, npm, and Socket, that no npm packages published by Vercel were compromised. Next.js and Turbopack open source projects were also reported as unaffected.</p>\n\n<h2>How the April 2026 Breach Unfolded: From a Roblox Script to Vercel's Internal Systems</h2>\n\n<p>The attack chain behind the primary April 2026 incident traces back to approximately February 2026. According to research by cybersecurity firm Hudson Rock, the breach began at Context.ai — a third-party AI productivity tool used by at least one Vercel employee — when a Context.ai employee with sensitive access privileges was infected with Lumma Stealer malware.</p>\n\n<p>Hudson Rock described the origin point directly: <strong>"In a February 2026 Lumma stealer infection, a Context.ai employee with sensitive access privileges was compromised."</strong> The infection reportedly occurred after that employee downloaded Roblox game exploit scripts — a reminder that the entry point for enterprise-level supply chain attacks is often a personal, low-stakes action.</p>\n\n<p>The malware harvested credentials from the infected device, giving the attacker a foothold into Context.ai's environment. From there, the attacker was able to compromise OAuth tokens associated with Context.ai's Google Workspace OAuth application. Context.ai later disclosed the sequence in its own statement: <strong>"We also learned that the unauthorized actor appears to have used a compromised OAuth token to access Vercel's Google Workspace."</strong></p>\n\n<p>The pivot into Vercel's environment was enabled by a key detail in how the compromised OAuth application had been granted access. As Context.ai acknowledged in a public statement: <strong>"Vercel is not a Context customer, but it appears at least one Vercel employee signed up for the AI Office Suite using their Vercel enterprise account and granted 'Allow All' permissions."</strong></p>\n\n<p>With access to the Vercel employee's Google Workspace account established, the attacker moved laterally into Vercel's internal environment, enumerating and decrypting non-sensitive environment variables across a subset of customer accounts. According to Trend Micro's analysis, one Vercel customer — named Andrey Zagoruiko in that research — reported receiving a leaked-key notification from OpenAI on April 10, 2026, nine days before Vercel's public disclosure on April 19, for an API key that had never existed outside Vercel. That nine-day gap between the earliest public evidence of credential exposure and Vercel's public disclosure is now part of the broader timeline under scrutiny.</p>\n\n<h2>The ShinyHunters Claim and a $2 Million Data Listing</h2>\n\n<p>Adding a criminal marketplace dimension to the incident, a threat actor claiming to represent the ShinyHunters hacking group posted on BreachForums on or around April 20, 2026, claiming to sell access to stolen Vercel data — including customer API keys, source code, and database data — for $2 million.</p>\n\n<p>According to BleepingComputer, the threat actor also shared a text file containing 580 data records of Vercel employee information, including names, email addresses, account statuses, and activity timestamps, as evidence of access. However, known members of the ShinyHunters group denied involvement to BleepingComputer, stating they were not behind this incident. Whether the listing represents the actual attacker, a third party who purchased or obtained the data, or an unverified claim has not been confirmed by Vercel or law enforcement.</p>\n\n<p>A Vercel spokesperson confirmed to TechCrunch that, as of April 20, 2026, the company had not received any communication from the threat actor — no ransom demand or direct contact of any kind.</p>\n\n<h2>Why This Incident Matters Beyond Vercel</h2>\n\n<p>The Vercel breach is drawing significant attention from security researchers not only because of who was targeted — a platform central to modern front-end and serverless development infrastructure — but because of how it was executed. The attack exploited a chain of trust that runs from a consumer-facing AI productivity app, through an OAuth permissions grant, into an enterprise platform's internal systems.</p>\n\n<p>Vercel's own security bulletin publicly released the OAuth client identifier for the compromised Context.ai Google Workspace application — <code>110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com</code> — specifically to help other organizations investigate whether their own environments may have been exposed to the same compromised application.</p>\n\n<p>The move signals a broader concern: any organization whose employees granted permissions to Context.ai's OAuth application — even informally, using a personal or enterprise account — may need to audit their own access logs. The attack vector of broad OAuth permission grants to AI productivity tools is, according to security analysis cited across multiple outlets, an increasingly exploited surface area across developer and enterprise environments.</p>\n\n<p>Vercel is working with Google Mandiant, additional cybersecurity firms, industry peers, and law enforcement in its ongoing investigation, according to its official security bulletin.</p>\n\n<h2>What Vercel and Its CEO Are Saying</h2>\n\n<p>Vercel's official communications have been notably direct about both the scope and the sophistication of the attack. In its security bulletin, the company stated: <strong>"We've identified a security incident that involved unauthorized access to certain internal Vercel systems."</strong> And in its assessment of the attacker's capabilities: <strong>"We assess the attacker as highly sophisticated based on their operational velocity and in-depth understanding of Vercel's product API surface."</strong></p>\n\n<p>Vercel CEO Guillermo Rauch went further in public remarks, stating: <strong>"We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI."</strong> That assessment — that the attacker may have used AI tools to accelerate their own operational tempo — adds a notable dimension to the incident, though it remains Vercel's own assessment rather than a confirmed technical finding.</p>\n\n<h2>What Comes Next for Affected Customers and the Developer Community</h2>\n\n<p>Vercel has indicated it directly notified all customers identified as affected — both those compromised in the April 2026 incident and those with evidence of prior, independent compromise uncovered during the expanded investigation. The company's immediate guidance to affected customers has been to rotate credentials, particularly any non-sensitive environment variables that may have been exposed.</p>\n\n<p>For the broader developer community, particularly those building on Vercel's platform or using similar deployment infrastructure, the incident raises practical questions about OAuth permission hygiene. Granting broad access permissions — including "Allow All" scopes — to third-party AI productivity tools that connect to enterprise accounts is a practice that this breach illustrates can have cascading consequences far beyond the original application.</p>\n\n<p>The confirmation that no npm packages published by Vercel were compromised will offer some relief to the open source ecosystem, given Vercel's role as the primary maintainer of Next.js. But the discovery of pre-existing customer account compromises — ones that may have been sitting undetected before the April incident prompted a deeper audit — underscores that for some organizations, the exposure window may extend considerably further back than the April 2026 breach date suggests.</p>\n\n<p>Vercel's investigation is ongoing. The company has not provided a specific timeline for its conclusion or indicated whether additional findings may be forthcoming.</p>\n\n<p>For more tech news, visit our <a href=\"/news\">news section</a>.</p>\n\n<h2>Stay Ahead of Security Threats That Affect Your Productivity</h2>\n\n<p>Breaches like Vercel's are a sharp reminder that the tools developers and knowledge workers rely on daily — AI productivity apps, OAuth-connected platforms, cloud environments — sit at the intersection of personal habits and enterprise security. How you manage your digital tools, permissions, and credentials has direct consequences for your professional resilience and your team's operational continuity. Moccet tracks the technology and security developments that shape how people work, so you can make smarter decisions about the tools you use and the risks you take on. <a href=\"/#waitlist\">Join the Moccet waitlist to stay ahead of the curve.</a></p>", "excerpt": "Vercel's expanded investigation into its April 2026 security breach has uncovered a second set of customer account compromises that predate the original incident, potentially caused by social engineering or malware unrelated to the Context.ai OAuth supply chain attack. The company is working with Google Mandiant and law enforcement while a threat actor on BreachForums is claiming to sell stolen Vercel data for $2 million. Vercel CEO Guillermo Rauch described the attacker as highly sophisticated and potentially AI-accelerated.", "keywords": ["Vercel data breach", "Vercel security incident 2026", "Context.ai OAuth attack", "supply chain attack developer tools", "ShinyHunters BreachForums"], "slug": "vercel-data-breach-second-compromise-found-expanded-investigation" } ```