Hosting platform Vercel reports breach, customer data compromised

Cloud application hosting company Vercel has confirmed that hackers breached its internal systems over the weekend, exposing customer data. The company also said attackers have claimed to be selling stolen credentials online.

In a statement released on Sunday, Vercel explained that the incident originated from a third-party software provider, Context AI. According to the company, a Vercel employee downloaded an application built by Context AI and connected it to their corporate Google-hosted account. Through that connection, known as OAuth, attackers were able to take control of the employee’s Google account and access parts of Vercel’s internal systems, including unencrypted credentials.

Vercel clarified that its core open-source projects, including Next.js and Turbopack, were not impacted by the breach. Both frameworks are widely used across web development and application infrastructure.

The company said it has already reached out to affected customers whose application data and keys may have been exposed. Vercel CEO Guillermo Rauch also posted on X, advising users to rotate any credentials and API keys marked as “non-sensitive” in their deployments as a precautionary measure.

At this stage, it remains unclear who is responsible for the attack or whether the breaches at Vercel and Context AI are linked to the same threat actor. A hacker claiming involvement posted on a cybercriminal forum, stating that they were selling access to customer API keys, source code, and database information allegedly taken from Vercel systems. The post also referenced association with the well-known hacking group ShinyHunters.

However, ShinyHunters has denied any involvement in the incident, telling cybersecurity outlet Bleeping Computer that the group is not connected to the attack.

Vercel has not disclosed how many customers may be affected, but confirmed it has not received any ransom demands from the attackers so far. The company said its investigation is ongoing and that it has sought clarification from Context AI regarding the breach.

Security researchers say the incident reflects a broader rise in “supply chain” attacks, in which hackers target widely used developer tools and cloud services to gain access to numerous downstream systems. By compromising a single service or integration, attackers can potentially access sensitive data across multiple organisations.

Vercel warned that the impact may extend beyond its own systems, stating that the breach could affect “hundreds of users across many organisations,” potentially creating wider exposure across the technology ecosystem.

Context AI, a company focused on AI model evaluation and analytics tools, acknowledged on its website that it previously experienced a breach in March involving its Context AI Office Suite consumer application. That app allows users to automate workflows across third-party services using external integrations.

The company said it had notified at least one customer at the time, but now believes the incident may have been broader than initially understood. Context AI also stated that attackers likely compromised OAuth tokens tied to some consumer accounts.

Context AI has not responded to further questions regarding the breach or why full disclosure was not made earlier. It also remains unclear whether any ransom demands were made during the earlier incident.