Vercel discloses security incident linked to compromised third-party OAuth application

Vercel, a cloud development platform specializing in hosting and deployment infrastructure for modern web applications, has confirmed a security incident involving unauthorized access to certain internal systems after threat actors claimed to have breached the company and offered stolen data for sale.

The company disclosed that a limited subset of customers was affected and stated that it is actively investigating the incident with the support of external incident response experts. Law enforcement authorities have been notified, and the company indicated that its core services remain operational without disruption.

The breach was traced to the compromise of a Google Workspace account belonging to a Vercel employee. The intrusion originated through a third-party artificial intelligence tool’s OAuth application associated with Context.ai. Following the account compromise, the attacker escalated access into Vercel’s internal environments.

The investigation determined that the attacker was able to access certain environment variables that were not designated as sensitive and therefore were not encrypted at rest. While these variables were intended to store non-sensitive information, further access was obtained through enumeration techniques. Vercel emphasized that all customer environment variables classified as sensitive are fully encrypted at rest and protected through multiple security layers.

The company stated that its open-source projects, including Next.js and Turbopack, were not impacted by the incident. In response, Vercel has introduced updates to its dashboard, including a centralized view of environment variables and enhancements to the management of sensitive data.

Vercel has advised customers to review their environment variables, rotate secrets where necessary, and ensure that sensitive data is properly classified to enable encryption protections. It also urged Google Workspace administrators and account holders to audit connected OAuth applications, specifically identifying the compromised third-party tool involved in the incident.

The disclosure follows claims posted on a cybercrime forum by an individual using the name “ShinyHunters,” who alleged possession of access keys, source code, database data, and internal deployment credentials linked to Vercel systems. The individual also shared a sample dataset reportedly containing information on 580 Vercel employees, including names, corporate email addresses, account status, and activity timestamps, along with a screenshot of what appeared to be an internal enterprise dashboard.

The authenticity of the data and materials shared by the threat actor has not been verified. The individual also claimed to have engaged in discussions with the company regarding a potential ransom demand of $2 million.