Vercel has confirmed a security breach involving unauthorized access to parts of its internal systems.
Summary
- Vercel confirms breach after attacker accessed internal systems through compromised employee account linked to AI tool.
- Hackers claim access to source code, databases, and internal accounts, though scope remains unconfirmed.
- Company urges users to rotate credentials and monitor accounts after limited subset of data exposure.
The company stated that the incident affected a “limited” number of customer credentials. It reported that it detected the issue and began an investigation soon after identifying unusual activity.
The company informed affected users directly and advised them to rotate their credentials without delay. In its official update, Vercel said,
“We identified a security incident that involved unauthorized access to certain internal Vercel systems.”
The firm also noted that its response included monitoring and containment measures to prevent further access.
Reports of the breach surfaced after a user known as ShinyHunters posted on a hacking forum offering alleged Vercel data for $2 million. The post claimed access to sensitive assets such as source code, database content, and internal employee accounts.
Vercel has not confirmed the full scope of these claims. However, it described the attacker as “highly sophisticated based on their operational velocity and detailed understanding of Vercel’s systems.” The company has not provided details on whether all the data mentioned in the forum post was accessed.
According to Vercel CEO Guillermo Rauch, the breach began with a compromised employee account. He said the attacker gained access through a third-party artificial intelligence tool called Context.ai. This allowed the attacker to enter the employee’s Google Workspace account.
From there, the attacker accessed parts of Vercel’s internal systems. Rauch stated, “the attacker was then able to compromise the Vercel employee’s Google Workspace account.” He added that the attacker used this access to move through the system quickly and gather information.
Security measures and ongoing monitoring
Vercel explained that customer environments are stored with encryption. At the same time, some variables can be marked as non-sensitive, which may have been accessed during the breach. Rauch said, “the attacker got further access through their enumeration,” referring to how system data was explored.
The company has taken steps to secure its infrastructure and review its software supply chain. It confirmed that key projects such as Next.js and Turbopack remain safe.
Rauch advised users to follow standard security steps, stating, “secret rotation, monitoring access to your Vercel environments and linked services” are necessary actions after such events.
