App host Vercel says it was hacked and customer data stolen
TechCrunch • • business
Key Points:
- Vercel, a major cloud app hosting company, disclosed a security breach originating from a third-party app by Context AI, which allowed hackers to access Vercel’s internal systems and customer data through stolen OAuth tokens.
- The breach compromised unencrypted credentials but did not affect Vercel’s popular open-source projects Next.js and Turbopack; Vercel has notified affected customers and advised them to rotate non-sensitive keys and credentials.
- Hackers claiming affiliation with the ShinyHunters group are selling stolen Vercel customer data online, though ShinyHunters have denied involvement; Vercel has not received any ransom demands.
- Context AI confirmed a breach in March involving its consumer app and suspects the incident is more extensive than initially reported, potentially affecting OAuth tokens of multiple users.
- This breach highlights ongoing risks in supply chain attacks targeting widely used software tools, potentially impacting hundreds of users and causing downstream security issues across the tech industry.
