Vimeo confirms data breach linked to third-party analytics vendor, hackers threaten leak

Video hosting platform Vimeo said hackers accessed user and customer data through a breach involving a third-party analytics provider, exposing technical information and email addresses while leaving core systems and sensitive credentials unaffected.

The New York-based company, which provides video hosting and streaming services for businesses and creators, confirmed that unauthorized access stemmed from a security incident at Anodot, a business analytics platform integrated with its systems. The breach allowed attackers to reach databases containing technical data, video titles, metadata and, in some cases, customer email addresses.

Vimeo said the compromised data did not include video content, valid login credentials or payment card information. The company added that its services remained fully operational throughout the incident and that no system disruptions occurred.

The company disabled all Anodot-related credentials and removed the integration after detecting the intrusion. External cybersecurity specialists have been engaged to support the investigation, and law enforcement authorities have been notified. Vimeo said it continues to monitor its environment as the investigation remains ongoing.

The cybercrime group ShinyHunters has claimed responsibility for the attack and listed Vimeo among targets on its leak site. The group said it obtained data from cloud environments associated with the company and has issued a ransom demand, warning that stolen files could be released if payment is not made by April 30.

ShinyHunters has been linked to a series of recent high-profile cyberattacks across multiple industries. The group has targeted widely used enterprise platforms, including Salesforce and analytics services, as part of a broader campaign focused on supply chain vulnerabilities. Its tactics rely on phishing schemes conducted through voice and email to obtain login credentials rather than exploiting software flaws.

The same group has recently claimed intrusions involving organizations such as education publisher McGraw Hill, home security firm ADT and video game developer Rockstar Games. Vimeo, Rockstar Games and fashion retailer Zara have all been listed as victims in attacks tied to the Anodot platform.