Vercel, a prominent platform in the frontend cloud space, has recently confirmed a serious security breach. Hackers reportedly accessed internal systems, and a group claims to be selling the stolen data for $2 million on underground forums. The breach was officially acknowledged in a security bulletin dated April 18–19, 2026.
Incident Details and Initial Response
The breach reportedly occurred through a compromised Google Workspace OAuth app linked to a third-party AI tool, Context.ai, used by a Vercel employee. This allowed attackers to infiltrate the employee’s Google Workspace account, subsequently accessing specific Vercel environments. Vercel, with the aid of cybersecurity firm Mandiant, is actively investigating the incident and has informed law enforcement authorities.
While Vercel confirmed that sensitive environment variables remain secure, non-sensitive variables, including API keys and tokens, might be at risk. The company has urged customers to promptly rotate these credentials.
ShinyHunters and Data Exposure
The situation escalated when an entity claiming to be ShinyHunters advertised Vercel’s internal data, including employee records, access keys, and source code, on BreachForums for $2 million. The threat actor provided a text file with employee data and a screenshot purportedly from Vercel’s internal dashboard as proof.
Although the attackers claim to have communicated with Vercel about a ransom, the company has not publicly confirmed any such negotiations. Vercel’s CEO Guillermo Rauch described the attackers as highly sophisticated, possibly using AI tools to facilitate their access.
Security Measures and Customer Advisory
Vercel has assured its customers that Next.js and related supply chains remain unaffected, with all services operating normally. Comprehensive monitoring and protective measures have been implemented. Customers are advised to review Vercel dashboard or CLI activity logs for unusual activity and to update any environment variables containing secrets.
Additionally, Vercel recommends enabling the sensitive environment variables feature for future secrets and auditing Google Workspace for the malicious OAuth app. The company continues to provide updates through its security bulletin as the investigation unfolds.
Vercel’s response highlights the importance of robust security practices, especially in the face of increasingly sophisticated cyber threats. As the investigation proceeds, clients are encouraged to stay informed and take necessary precautions.
