Industry - Data Breach
Executive Summary
An attacker compromised Vercel's systems and stole customer credentials and sensitive data after initially infecting a Context.ai employee's computer with malware disguised as Roblox game cheats. The breach exploited interconnected cloud services, with the attacker using stolen OAuth tokens to access a Vercel employee's Google Workspace account and then pivoting to Vercel's internal environments. Vercel customers are at risk and have been advised to rotate their credentials, while the stolen ...
What Happened
In February 2025, an attacker infected a Context.ai employee's computer with Lumma Stealer malware through malicious Roblox game cheats. The attacker then used stolen OAuth tokens to access a Vercel employee's Google Workspace account, which had been granted full access to Context AI Office Suite. This access allowed the attacker to pivot into Vercel's internal environments and steal customer credentials, environment variables, access keys, source code, and databases. A threat actor claiming to be ShinyHunters has attempted to sell the stolen data on Telegram.
Who Is Affected
A limited number of Vercel customers are directly impacted and have been advised to rotate their credentials immediately. Context.ai's Google Workspace OAuth app compromise potentially affects hundreds of users across many organizations beyond just Vercel. Any organizations whose employees granted Context AI Office Suite access to their Google Workspace accounts may be at risk through the same attack vector.
Why It Matters
This incident demonstrates how modern cloud service integrations can create cascading security failures across multiple organizations. A single employee infection at one company led to credential theft at a second company, ultimately compromising customers of a third company. The attack reveals the risks of overly privileged OAuth permissions and interconnected SaaS applications, where security is only as strong as the weakest link in the integration chain.
What You Should Do
If you are a Vercel customer, immediately rotate all credentials including API keys, access tokens, and authentication secrets stored in your Vercel environment. Review and revoke OAuth permissions granted to third-party applications in your Google Workspace or other cloud accounts, especially those with full access privileges. Check Vercel's published indicators of compromise to determine if your systems show signs of unauthorized access. Enable multi-factor authentication on all accounts if not already active.
AI-Assisted
Event summaries are generated by Claude AI from verified sources and reviewed by humans before publication.
Related Events
- Industry - Data BreachApr 20, 2026
Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials
- Industry - Data BreachApr 20, 2026
Cloud app hosting company Vercel was breached after one of its employees downloa...
- Industry - Data BreachApr 19, 2026
Vercel, a cloud development platform, confirmed a security breach after a threat...