Vimeo has confirmed a security incident involving unauthorized access to user and customer data following a breach at third-party analytics provider Anodot. The incident involved attackers stealing authentication tokens and using them to access connected cloud environments, including Vimeo systems.
According to Vimeo, the accessed data includes technical information, video titles, metadata, and in some cases customer email addresses. The company stated that video content, login credentials, and payment card information were not accessed, and there was no disruption to its services.
Vimeo said it disabled Anodot credentials, removed the integration, engaged external security experts, and notified law enforcement, while the investigation into the incident remains ongoing.
The breach has been linked to the ShinyHunters extortion group, which has claimed responsibility and threatened to release stolen data.
Denis Calderone, CTO, Suzu Labs:
“This has become such a prevalent pattern. A third-party SaaS provider gets compromised, its authentication tokens get stolen, and suddenly attackers are inside customer cloud environments pulling data from Snowflake, BigQuery, Salesforce, or whatever else that integration was allowed to reach. Vimeo is just the latest to fall victim to this new trend in supply chain risk.
“Vimeo can say its core systems were not disrupted and that video content, passwords, and payment cards were not accessed, and that may all be true. But was that ever the real target? If your goal is data theft and extortion, you do not necessarily need production systems. All data has some amount of inherent value, and the downstream data stores where customer metadata, operational data, reporting exports, and business intelligence live may be just as valuable as what Vimeo is emphasizing was not affected.
“ShinyHunters has been very good at turning “limited” data exposure into leverage. SoundCloud said the exposed data was mostly email addresses and public profile information, and the group still used it for extortion and harassment. Panera described its incident as customer contact information, and that still became 5.1 million exposed accounts. AT&T’s Snowflake incident did not expose call content or Social Security numbers, but call and text metadata alone reportedly led to a six-figure payment.
“My guess is Vimeo lands in that same lane. Not a catastrophic platform compromise if Vimeo’s statement holds, but enough context to create pressure. Video titles, metadata, technical data, and email addresses could help attackers embarrass enterprise customers, threaten Vimeo’s reputation, and craft follow-on phishing that references real projects or business relationships.
“For organizations using third-party SaaS integrations, the takeaway is to inventory every integration that can read from your cloud data platforms, identify what tokens exist, who owns them, when they were last rotated, and what data they can actually reach. Monitor for abnormal query volume, unusual exports, access from new infrastructure, and dormant integrations suddenly becoming active. If a vendor in that trust chain reports an incident, don’t wait for a perfect impact statement. Act fast and proactively revoke and rotate first, then investigate. Also, make sure your threat modeling is taking this attack pattern into account, because this is becoming the norm these days.”
Damon Small, Board of Directors, Xcape, Inc.:
“The Vimeo breach via Anodot is a high-fidelity case study in the vulnerability of the modern “integrated” enterprise. By compromising the third-party analytics provider Anodot and stealing its authentication tokens, the ShinyHunters extortion group bypassed Vimeo’s own identity perimeter to directly query its Snowflake and BigQuery data warehouses. While Vimeo’s confirmation that raw video content and passwords remain secure is a necessary PR distinction, it underplays the reality of the breach: the exfiltration of customer email addresses and video metadata from a centralized cloud environment creates a persistent, high-value asset for downstream phishing and social engineering.
“For security practitioners and executives, this incident exposes the “read-only” fallacy. Many organizations grant third-party SaaS tools programmatic access to their data lakes under the assumption that the integration is limited in scope; however, in a cloud-native environment, a stolen token is often functionally equivalent to a root credential for bulk data export. The April 30 “pay or leak” deadline set by ShinyHunters highlights the urgent need for a shift toward identity-based, time-bound access.
“Organizations must immediately audit their service-to-service integrations and implement rigid “least privilege” controls – specifically monitoring for unauthorized COPY INTO or UNLOAD commands within cloud warehouses that signify bulk exfiltration. If your vendor security assessment ended with a SOC 2 report instead of a review of their token management lifecycle, you are essentially outsourcing your data integrity to the weakest link in your supply chain.
“Read-only” permissions are the security industry’s favorite fairy tale – until someone uses them to export your entire database.”
Vishal Agarwal, CTO, Averlon:
“Third-party breaches become much more consequential when the compromised asset is trust itself. Stolen authentication tokens carry delegated access into connected environments, and those tokens work silently until someone explicitly revokes them. When a third-party provider is compromised, every token it holds can become a potential entry point into the environments those tokens connect to.
“The real risk isn’t just what was exposed at the vendor. It’s how much inherited access those tokens may have provided downstream. Organizations should treat third-party token grants like privileged credentials: audit them regularly, scope them tightly, and revoke anything that isn’t actively needed.”
Third party hacks, supply chain attacks, whatever you want to call them are the new hotness. Thus you need to treat third parties as untrustworthy until proven otherwise. Otherwise you will be added to the growing list of organizations that have been pwned by ShinyHunters.
Vimeo Pwned By ShinyHunters
Posted in Commentary with tags Hacked on April 29, 2026 by itnerdVimeo has confirmed a security incident involving unauthorized access to user and customer data following a breach at third-party analytics provider Anodot. The incident involved attackers stealing authentication tokens and using them to access connected cloud environments, including Vimeo systems.
According to Vimeo, the accessed data includes technical information, video titles, metadata, and in some cases customer email addresses. The company stated that video content, login credentials, and payment card information were not accessed, and there was no disruption to its services.
Vimeo said it disabled Anodot credentials, removed the integration, engaged external security experts, and notified law enforcement, while the investigation into the incident remains ongoing.
The breach has been linked to the ShinyHunters extortion group, which has claimed responsibility and threatened to release stolen data.
Denis Calderone, CTO, Suzu Labs:
“This has become such a prevalent pattern. A third-party SaaS provider gets compromised, its authentication tokens get stolen, and suddenly attackers are inside customer cloud environments pulling data from Snowflake, BigQuery, Salesforce, or whatever else that integration was allowed to reach. Vimeo is just the latest to fall victim to this new trend in supply chain risk.
“Vimeo can say its core systems were not disrupted and that video content, passwords, and payment cards were not accessed, and that may all be true. But was that ever the real target? If your goal is data theft and extortion, you do not necessarily need production systems. All data has some amount of inherent value, and the downstream data stores where customer metadata, operational data, reporting exports, and business intelligence live may be just as valuable as what Vimeo is emphasizing was not affected.
“ShinyHunters has been very good at turning “limited” data exposure into leverage. SoundCloud said the exposed data was mostly email addresses and public profile information, and the group still used it for extortion and harassment. Panera described its incident as customer contact information, and that still became 5.1 million exposed accounts. AT&T’s Snowflake incident did not expose call content or Social Security numbers, but call and text metadata alone reportedly led to a six-figure payment.
“My guess is Vimeo lands in that same lane. Not a catastrophic platform compromise if Vimeo’s statement holds, but enough context to create pressure. Video titles, metadata, technical data, and email addresses could help attackers embarrass enterprise customers, threaten Vimeo’s reputation, and craft follow-on phishing that references real projects or business relationships.
“For organizations using third-party SaaS integrations, the takeaway is to inventory every integration that can read from your cloud data platforms, identify what tokens exist, who owns them, when they were last rotated, and what data they can actually reach. Monitor for abnormal query volume, unusual exports, access from new infrastructure, and dormant integrations suddenly becoming active. If a vendor in that trust chain reports an incident, don’t wait for a perfect impact statement. Act fast and proactively revoke and rotate first, then investigate. Also, make sure your threat modeling is taking this attack pattern into account, because this is becoming the norm these days.”
Damon Small, Board of Directors, Xcape, Inc.:
“The Vimeo breach via Anodot is a high-fidelity case study in the vulnerability of the modern “integrated” enterprise. By compromising the third-party analytics provider Anodot and stealing its authentication tokens, the ShinyHunters extortion group bypassed Vimeo’s own identity perimeter to directly query its Snowflake and BigQuery data warehouses. While Vimeo’s confirmation that raw video content and passwords remain secure is a necessary PR distinction, it underplays the reality of the breach: the exfiltration of customer email addresses and video metadata from a centralized cloud environment creates a persistent, high-value asset for downstream phishing and social engineering.
“For security practitioners and executives, this incident exposes the “read-only” fallacy. Many organizations grant third-party SaaS tools programmatic access to their data lakes under the assumption that the integration is limited in scope; however, in a cloud-native environment, a stolen token is often functionally equivalent to a root credential for bulk data export. The April 30 “pay or leak” deadline set by ShinyHunters highlights the urgent need for a shift toward identity-based, time-bound access.
“Organizations must immediately audit their service-to-service integrations and implement rigid “least privilege” controls – specifically monitoring for unauthorized COPY INTO or UNLOAD commands within cloud warehouses that signify bulk exfiltration. If your vendor security assessment ended with a SOC 2 report instead of a review of their token management lifecycle, you are essentially outsourcing your data integrity to the weakest link in your supply chain.
“Read-only” permissions are the security industry’s favorite fairy tale – until someone uses them to export your entire database.”
Vishal Agarwal, CTO, Averlon:
“Third-party breaches become much more consequential when the compromised asset is trust itself. Stolen authentication tokens carry delegated access into connected environments, and those tokens work silently until someone explicitly revokes them. When a third-party provider is compromised, every token it holds can become a potential entry point into the environments those tokens connect to.
“The real risk isn’t just what was exposed at the vendor. It’s how much inherited access those tokens may have provided downstream. Organizations should treat third-party token grants like privileged credentials: audit them regularly, scope them tightly, and revoke anything that isn’t actively needed.”
Third party hacks, supply chain attacks, whatever you want to call them are the new hotness. Thus you need to treat third parties as untrustworthy until proven otherwise. Otherwise you will be added to the growing list of organizations that have been pwned by ShinyHunters.
Leave a comment »