Vercel reveals customer data was stolen before its recent hack — and the breach may be bigger

App and website hosting powerhouse Vercel has disclosed that hackers managed to steal some of its customers’ data before the company discovered a major breach in early April. The revelation suggests the incident is more serious than first reported.

In an updated security notice, Vercel said its expanded investigation uncovered evidence of malicious activity on its network that predates the April intrusion. The company now believes a small number of customer accounts were compromised through social engineering, malware, or other tactics — separate from the main attack.

The Vercel customer data stolen in two waves

Vercel initially reported that its internal systems were breached after an employee downloaded an app from startup Context AI. Hackers exploited that app to hijack the employee’s work account and then infiltrate Vercel’s network.

However, the latest update indicates the Vercel data breach may have been ongoing longer than first thought. The company confirmed it found additional customer accounts compromised during the April incident, though it declined to specify how many or how far back the earlier breach dates.

“We have uncovered a small number of customer accounts with evidence of prior compromise that is independent of and predates this incident, potentially as a result of social engineering, malware, or other methods,” the company stated.

CEO links breach to infostealer malware

Vercel CEO Guillermo Rauch took to X to confirm that the hackers behind the attack have been active “beyond that startup’s compromise,” referring to Context AI, which itself confirmed a breach this week. Rauch pointed to early signs that the attackers relied on malware designed to steal valuable tokens — including keys to Vercel accounts and other services.

This behavior aligns with information-stealing malware, or infostealers, which often disguise themselves as legitimate software. Once installed, these programs collect and upload sensitive secrets from the victim’s computer, such as passwords and private keys, granting hackers access to any system those keys unlock.

“Once the attacker gets ahold of those keys, our logs show a repeated pattern: rapid and comprehensive API usage, with a focus on enumeration of non-sensitive environment variables,” Rauch explained.

The hackers used the hijacked Vercel employee’s account to reach internal systems, including customer credentials that were stored without encryption. This means the Vercel customer data stolen could include sensitive login information.

Context AI and the infostealer connection

Rauch’s comments add weight to earlier reports from security researchers that a Context AI employee’s computer was infected with infostealer malware after allegedly searching for Roblox game cheats. TechCrunch also reported that compliance startup Delve, accused of faking customer data, handled security certifications for Context AI.

Neither Vercel nor Context AI has confirmed the total number of affected customers. Both companies have warned that the breach may impact more organizations, and that additional victims could emerge in the coming weeks.

What this means for Vercel users

If you host applications or websites on Vercel, this incident underscores the importance of rotating API keys, enabling multi-factor authentication, and monitoring account activity for unusual behavior. Vercel has notified customers known to be affected so far, but the full scope remains unclear.

For a deeper look at how hosting providers handle security incidents, check out our guide on cloud hosting security best practices. You might also want to review how to rotate API keys safely to protect your own projects.

As investigations continue, the Vercel data breach serves as a stark reminder that even major platforms can fall victim to sophisticated malware campaigns. Stay vigilant, and consider infostealer malware protection tips to safeguard your credentials.