Cloud Hosting Giant Vercel Confirms Hack: Customer Credentials Stolen and Sold Online

The cloud app hosting platform Vercel has confirmed that hackers infiltrated its internal systems and made off with sensitive customer data. This breach, which came to light over the weekend, has already led to stolen credentials being listed for sale on cybercriminal forums. The incident underscores the growing threat of supply chain attacks targeting widely used software infrastructure.

How the Vercel Hack Unfolded: A Supply Chain Entry Point

According to Vercel’s official statement, the breach originated from a third-party software maker, Context AI. One of Vercel’s employees downloaded a Context AI app and linked it to their corporate Google account using OAuth. The attackers exploited this connection to hijack the employee’s Google account, gaining unauthorized access to internal systems—including unencrypted credentials.

This attack method is a classic supply chain maneuver: instead of directly targeting the primary company, hackers compromise a smaller, less secure vendor. By doing so, they bypass robust defenses and gain access to a treasure trove of data. In this case, the stolen credentials included customer API keys, source code, and database contents.

What Data Was Stolen from Vercel?

The threat actor, who claimed to represent the notorious ShinyHunters hacking group, posted an advertisement on a cybercriminal forum. The listing, reviewed by TechCrunch, offered access to Vercel customer API keys, source code, and database dumps. However, ShinyHunters themselves later denied involvement in the incident, telling cybersecurity news site Bleeping Computer that they were not responsible.

Vercel has assured customers that its open source projects—Next.js and Turbopack—were not compromised. Nevertheless, the company has begun notifying affected clients and advises all users to rotate any keys or credentials marked as “non-sensitive” in their deployments. CEO Guillermo Rauch shared this warning on X, urging developers to take immediate action.

Context AI’s Role in the Breach

Context AI, which builds evaluation tools for AI models, acknowledged on its website that it suffered a breach in March involving its Office Suite consumer app. The app allowed users to automate workflows across third-party services—and the hackers likely stole OAuth tokens during that intrusion. Context AI initially notified only one customer but now believes the incident is broader than first thought.

The company has not disclosed why it delayed reporting the breach or whether it received any ransom demands. This lack of transparency raises questions about how many other organizations might be affected downstream. Vercel warned that the hack could impact “hundreds of users across many organizations,” potentially triggering a cascade of secondary breaches throughout the tech industry.

Protecting Your Data After the Vercel Breach

If you use Vercel for hosting or deployment, here are immediate steps to take:

• Rotate all API keys and credentials that are not marked as “sensitive” in your Vercel dashboard.
• Audit OAuth connections linked to your corporate accounts. Revoke any that you don’t recognize or no longer use.
• Enable multi-factor authentication on all Google Workspace accounts to add an extra layer of security.
• Monitor your logs for unusual activity, especially from third-party apps.

For broader guidance on securing your development pipeline, check out our article on best practices for securing CI/CD pipelines. You might also find our guide on how to prevent supply chain attacks useful for long-term protection.

The Bigger Picture: Supply Chain Attacks on the Rise

This incident is the latest in a string of supply chain breaches targeting software developers whose code powers a significant portion of the web. By compromising widely used tools, hackers can steal credentials from a massive pool of targets simultaneously. The Vercel hack is a stark reminder that even industry leaders are vulnerable when their vendors have weak security postures.

As investigations continue, both Vercel and Context AI are under pressure to provide more details. For now, developers must remain vigilant. The stolen credentials are already circulating on dark web forums, and the full extent of the damage may not be known for weeks.