Cloud development and deployment platform Vercel has confirmed a security breach after threat actors posted on underground forums claiming to have exfiltrated sensitive internal data — and are now attempting to sell it for $2 million.
What Was Stolen
According to the threat actors' post, the stolen dataset includes:
- Internal databases containing customer and account data
- API keys and access tokens used within Vercel's infrastructure
- NPM tokens and GitHub tokens tied to Vercel's internal CI/CD pipelines
- Source code from internal repositories
- Employee credentials and access artifacts
The actors claimed access to a "limited subset" of Vercel's customer environment, though the precise scope of customer data affected has not been independently confirmed.
Attribution Dispute
The breach claim surfaced on hacking forums with threat actors initially associated with ShinyHunters — the prolific data theft group responsible for dozens of high-profile breaches in recent years including attacks on Ticketmaster, AT&T, and educational institutions. However, members reportedly associated with ShinyHunters have publicly denied involvement, casting uncertainty on the true identity of the attackers.
Vercel's Response
Vercel confirmed the incident and advised affected customers to take the following steps:
- Review environment variables — audit what secrets are stored and where
- Rotate all secrets — regenerate API keys, tokens, and credentials immediately
- Enable sensitive variable protection — use Vercel's built-in mechanism to prevent secrets from being exposed in preview deployments or logs
- Audit deploy history — check for unauthorized or suspicious deployment activity
Why This Matters
Vercel hosts a massive portion of the modern web — powering Next.js deployments for companies ranging from startups to enterprises. A breach of Vercel's internal infrastructure has significant downstream implications:
- Supply chain risk: If API keys or deployment tokens were stolen, attackers could potentially inject malicious code into customer builds
- NPM and GitHub token exposure: These tokens could be leveraged to push unauthorized packages or access private repositories
- Customer data leakage: Vercel stores deployment logs, environment configuration, and team information that may contain sensitive business data
Immediate Actions for Vercel Users
| Action | Priority |
|---|---|
| Rotate all API keys stored in Vercel environment variables | Critical |
| Regenerate GitHub, GitLab, and Bitbucket integration tokens | Critical |
| Review team member access and remove unused accounts | High |
| Audit recent deployments for unauthorized changes | High |
| Enable Vercel's Sensitive Environment Variable Protection | High |
| Review build logs for unexpected output or secret exposure | Medium |
Rotating Vercel Secrets
# Using the Vercel CLI — list all environment variables across projects
vercel env ls --all
# Remove and re-add sensitive variables
vercel env rm SENSITIVE_VAR production
vercel env add SENSITIVE_VAR production
# Pull updated environment locally after rotation
vercel env pull .env.localFor secrets shared across services (database passwords, third-party API keys), rotate those credentials at the source — not just within Vercel — as the underlying credentials may have been exposed.
Outlook
The incident underscores the risk of placing developer tooling platforms in the critical path of software supply chains. Vercel's central role in CI/CD pipelines for thousands of organizations makes it an attractive target for threat actors seeking broad downstream impact from a single breach.
Organizations that rely on Vercel for production deployments should treat this incident as a prompt to audit their secrets management practices — even if Vercel confirms that their specific account data was not affected.
Source: BleepingComputer