Vercel Confirms Breach as Hackers Sell Stolen Data
Vercel confirms unauthorized access to internal systems after a hacker posts stolen employee data for sale on a forum. The breach affects a limited number of customers, with services unaffected but security reviews advised amid an ongoing investigation.
In a bulletin published today, Vercel states it is actively investigating with incident response experts, has notified law enforcement, and is working with impacted customers. The company's services remain unaffected. Vercel advises affected customers to review environment variables, enable its sensitive environment variable feature, and rotate secrets if necessary.
The disclosure follows a threat actor's forum post claiming a breach and offering for sale access keys, source code, database data, internal deployments, and API keys—including NPM and GitHub tokens. The actor, claiming affiliation with ShinyHunters (though the group denies involvement), shared proof from Linear, including multiple employee accounts.
The hacker posted a text file with 580 Vercel employee records containing names, email addresses, account status, and activity timestamps, plus a screenshot of an internal Enterprise dashboard. BleepingComputer has not independently verified the data's authenticity. The actor claims contact with Vercel and a $2 million ransom demand via Telegram messages.
Reader-supported
The Circuitry is a passion project I've always wanted to build, and I love the work behind it.
Running it costs real money. APIs, hosting, time. To keep improving the site and growing this into something useful for everyone, those costs have to be covered.
Any contribution is appreciated. If not, no pressure. Thanks for reading.
EXPERT TAKE
Cloud admins should immediately audit and rotate any Vercel-linked API keys, NPM tokens, or GitHub credentials across environments to mitigate potential lateral movement.