Vercel has confirmed a security breach in which hackers stole customer data including API keys, source code, and database credentials. The attack originated from a supply chain compromise at Context AI, whose Office Suite app was breached in March. A Vercel employee had connected the Context AI app to their corporate Google account via OAuth, which allowed attackers to hijack the employee's account and access unencrypted credentials in Vercel's internal systems. A threat actor claiming to represent ShinyHunters is selling the stolen data online, though ShinyHunters denies involvement. Vercel's Next.js and Turbopack open-source projects were not affected. Context AI, whose staff was acqui-hired by OpenAI, has acknowledged the breach may be broader than initially disclosed. Vercel is advising customers to rotate all keys and credentials marked as non-sensitive.
Sort: