Vercel just confirmed an internal breach, and your non-sensitive env vars may be exposed

Vercel has confirmed unauthorized internal access to its systems and is notifying law enforcement. Hacking group ShinyHunters claims responsibility and is allegedly selling stolen data — including access keys, source code, and databases — for $2 million, warning it could enable the largest supply chain attack ever via Next.js. Vercel's claims about ShinyHunters' involvement remain unverified, but all Vercel customers are advised to immediately review and rotate their environment variables and use the sensitive environment variable feature.