Overview
- Vercel, which disclosed the incident Sunday, said an attacker used a hacked Context.ai Google Workspace OAuth app to take over a Vercel employee account and reach some internal environments.
- A limited set of customer credentials tied to environment variables not marked sensitive was exposed, while values labeled sensitive are encrypted at rest and show no evidence of access.
- Vercel brought in Mandiant, notified law enforcement, published the OAuth app ID as an indicator of compromise, and added a dashboard page to review and safeguard environment variables.
- A seller using the ShinyHunters name advertised alleged Vercel data and a $2 million demand, though the claims and attribution remain unverified and have been disputed by actors linked to that group.
- Context AI later acknowledged a March breach and said some user OAuth tokens were likely compromised, highlighting broader supply‑chain risk even as Vercel says Next.js and Turbopack were not affected.