Vercel Confirms Cyber Incident: Breach Originated from Third-Party Tool Context.ai

In a recent disclosure, Vercel has confirmed a Vercel cyber incident that may have exposed sensitive internal data. The attack, described by the company as highly sophisticated, began with an employee’s use of a third-party tool, Context.ai. This incident underscores the growing risks associated with third-party integrations in modern development workflows.

How the Vercel Cyber Incident Unfolded

According to an updated notice dated April 21, the unauthorized access started when an employee used Context.ai, a third-party tool. The attacker leveraged that access to take over the employee’s Vercel Google Workspace account, gaining entry into several Vercel environments and environment variables not marked as sensitive. Vercel emphasized that environment variables labeled as ‘sensitive’ are stored in a way that prevents them from being read, and there is currently no evidence that those values were accessed.

However, the company did confirm that a limited subset of customers had their non-sensitive environment variables compromised. These variables may include API keys, tokens, database credentials, and signing keys. Vercel has already reached out to those affected.

Threat Actor Claims and Extortion Attempt

On X (formerly Twitter), a threat actor purporting to be part of the ShinyHunters collective posted screenshots claiming to have access to multiple employee accounts, internal deployments, API keys, npm/GitHub tokens, source code, and databases. They are reportedly demanding a $2 million ransom. Vercel is working with Mandiant to verify these claims.

Despite the severity of the breach, Vercel assured users that none of its npm packages were compromised, and there is no evidence of tampering. This means projects like the popular React framework Next.js remain safe. For more on related security issues, see our article on NCSC Urging Users to Patch Next.js Flaw Immediately.

Root Cause: The Danger of OAuth and Third-Party Tools

Cory Michal, CISO at AppOmni, traced the breach back to the OAuth access that Context.ai provided to the Vercel employee’s Google Workspace account. He explained that once a user authorizes one app, that trust can extend into email, identity, CRM, development, and other systems in ways many organizations do not fully inventory or monitor. This makes a single compromised integration a powerful pivot point for attackers.

This incident highlights a critical lesson: third-party risk management cannot stop at reviewing a vendor’s SOC 2 report or penetration test results. Organizations need continuous visibility into how third-party applications are connected across their SaaS estate, what OAuth grants and integration tokens they hold, and how those relationships could be abused if one provider is compromised. For more on managing such risks, check our guide on third-party risk management best practices.

Customer Guidance: Steps to Mitigate Risk

In response to the Vercel cyber incident, the company has issued the following advice for all customers:

• Enable multi-factor authentication (MFA) via authenticator app or passkey
• Review and rotate environmental variables not marked as ‘sensitive’ as these may have been potentially exposed
• Use the sensitive environmental variables feature to protect secret values
• Review activity log for suspicious activity
• Investigate suspicious or unexpected recent deployments
• Ensure deployment protection is set to standard, at a minimum
• Rotate deployment protection tokens

Furthermore, Vercel urges customers to adopt a proactive security posture. This includes regularly auditing third-party integrations and OAuth permissions to prevent similar breaches.

Broader Implications for the Developer Community

This Vercel cyber incident serves as a stark reminder that even well-funded, security-conscious companies can fall victim to sophisticated attacks through third-party tools. The developer community, which often relies on a rich ecosystem of integrations, must treat every third-party connection as a potential attack vector.

As a result, organizations should implement continuous monitoring of OAuth grants and integration tokens. They should also consider adopting zero-trust principles, where every access request is verified regardless of its origin. For additional insights, read our analysis on OAuth security best practices.

In conclusion, while Vercel has taken swift action to contain the breach and communicate with affected customers, the incident highlights the evolving nature of cyber threats. By learning from this event, developers and organizations can better protect themselves against similar attacks in the future.

Practice by Numbers fixes security bug that exposed dental patients’ private records

A security flaw in dental practice software from Practice by Numbers has been patched after it allowed patients to view each other’s medical documents. The bug, which affected a patient portal used by thousands of dental offices, raised serious concerns about health data protection.

The issue came to light when patient Joseph R. Cox discovered he could access other people’s files while reviewing his own dental records. He reported the problem to TechCrunch after struggling to alert the company directly.

How the dental practice software bug worked

Cox found that changing a document number in the web address bar let him load files belonging to other patients. Because the numbers appeared to be sequential, guessing other document IDs was straightforward. This meant anyone with a login could potentially view personal information, medical histories, and even photo IDs of other patients.

The vulnerable portal is part of a broader system used in over 5,000 dental practices across the United States. Practice by Numbers develops this patient management software, which handles sensitive health records.

No clear way to report the vulnerability

Cox attempted to contact Practice by Numbers through email but received no response. The company’s website had a broken email address, causing messages to bounce back. He also tried reaching out via LinkedIn to one of the founders, but again heard nothing.

This situation reflects a growing problem: consumers who discover security flaws often have no straightforward method to report them. Similar incidents have occurred with other companies, including fashion retailer Express and Home Depot, where bugs went unreported because users couldn’t find the right contact.

Company response and fix

After TechCrunch alerted Practice by Numbers on April 13, the company took down its patient portal to address the flaw. It was restored on April 17, with the bug now resolved.

Chris Lau, co-founder and CTO, confirmed the fix and said fewer than ten patients had their information exposed. The company is working with the affected dental practice to notify those individuals. Lau added that server logs showed no evidence of previous exploitation, suggesting Cox was likely the first to discover the issue.

However, when asked whether the portal had undergone a security audit before launch, neither Lau nor co-founder Rohit Garg would confirm. Security audits are standard practice for software handling healthcare data, as they help catch common vulnerabilities early.

Lessons for healthcare software security

This incident highlights the importance of robust testing for any system that manages medical records. While no software is perfect, companies dealing with sensitive patient data have a responsibility to seek third-party reviews and establish clear reporting channels.

Garg indicated that Practice by Numbers plans to update its website to allow security researchers to report flaws, though no timeline was provided. For now, the immediate threat has been neutralised, but the case serves as a reminder that even widely used dental practice software can harbour serious weaknesses.

Patients who use online portals should remain vigilant about their data. If you suspect a security issue, consider reaching out to your provider directly or contacting a relevant authority like the Office for Civil Rights for guidance.

Building on this, the broader healthcare industry must prioritise vulnerability disclosure programs. Without them, well-meaning individuals like Cox may continue to face barriers when trying to report critical flaws. As more medical services move online, ensuring these platforms are secure should be a top priority.

Grinex Blames Western Spies for $13m Crypto Theft: Experts Question Narrative

A sanctioned cryptocurrency exchange, Grinex, has accused Western intelligence agencies of orchestrating a cyberattack that led to the theft of one billion rubles ($13.2 million) from Russian customers. However, blockchain experts are skeptical of this claim, suggesting the incident may be a false flag operation to cover an exit scam.

Grinex’s Accusation: Western Spies Behind the Attack

Grinex, based in Kyrgyzstan, is widely believed to be the successor to Garantex, which the US sanctioned in 2022 for enabling money laundering and illegal transactions. The exchange itself faced sanctions last August but continued to help Russians evade restrictions through crypto transactions.

In a statement last week, Grinex announced it had suspended operations following a “large-scale cyber-attack” by “foreign” intelligence agencies. The firm claimed that only these actors could muster the “unprecedented level of resources and technology” used in the raid, which it said was intended to harm Russia’s “financial sovereignty.”

“From the very beginning, the exchange’s infrastructure has been subject to attacks,” a Grinex spokesperson said. “We have documented systematic attempts to restrict the transfer of cryptocurrency outside the CIS: the exchange was placed on sanctions lists, crypto wallets were deliberately targeted, and transactions were blocked. Today, attempts to destabilize the domestic financial sector have reached a new level – the direct theft of assets from Russian citizens and companies using complex cyber-attacks.”

Grinex said it filed a criminal complaint about the attack and shared relevant information with law enforcement. It also provided the crypto address where the stolen funds were allegedly deposited after being converted to TRX.

Blockchain Experts Question Grinex’s Narrative

However, forensics firm Chainalysis has raised serious doubts about Grinex’s story. The firm noted that Western agencies typically freeze centralized stablecoins rather than swapping them. In this attack, the stablecoins were quickly swapped for a non-freezable, more decentralized token—a classic tactic used by cybercriminals to launder funds.

“Shortly after the funds were exfiltrated, they were actively moved by leveraging a popular Tron-based decentralized exchange (DEX) to swap the stablecoins into Tron (TRX), the native token of the Tron blockchain,” Chainalysis explained. “Interestingly, this specific DEX was previously heavily leveraged by Garantex – Grinex’s sanctioned predecessor – as a source of liquidity to gas-fund its hot wallets. This behavior immediately raises reasonable questions about Grinex’s claim that Western authorities are behind the attack.”

Chainalysis suggested that this could be a false flag attack, potentially to cover an attempt by administrators to move funds to their own wallets. “Faced with mounting international pressure and a shrinking operational footprint, actors associated with Grinex could be using the guise of an alleged hack to quietly siphon liquidity and execute an exit scam,” it said.

As of now, the exfiltrated funds remain in a single address. As they move downstream, forensic blockchain evidence will provide additional clues into who might be responsible.

Implications for Sanctioned Crypto Exchanges

This incident highlights the ongoing challenges faced by sanctioned exchanges operating in a gray area. Grinex’s accusations come amid increasing international pressure on entities that help Russia evade sanctions. The US Treasury has repeatedly targeted such platforms, freezing assets and imposing penalties.

For readers interested in similar cases, check out our article on DeFi Protocol Balancer Loses Over $120m in Cyber Heist. Additionally, learn more about how sanctioned crypto exchanges operate under regulatory scrutiny.

In conclusion, while Grinex blames Western spies for the theft, blockchain evidence suggests a more mundane explanation: an insider job or exit scam. As the investigation unfolds, the crypto community will watch closely for further developments.