The IT Nerd

Over the weekend, cloud app hosting company Vercel said hackers breached its internal systems and stole customer credentials which they are now selling online. The breach originated with a compromise of Context.ai, a third-party AI tool used by a Vercel employee. The attacker used that access to take over the employee’s Vercel Google Workspace account, which enabled them to gain access to some Vercel environments and environment variables that were not marked as “sensitive.” 

More details from Vercel here: https://vercel.com/kb/bulletin/vercel-april-2026-security-incident

Ensar Seker, CISO at SOCRadar, commented:

“This incident is a textbook example of how identity and integration layers have become the new attack surface. The breach didn’t start with Vercel itself, it started with a trusted third-party application and an OAuth connection that effectively bypassed traditional security controls.

We’re seeing a clear shift where attackers no longer need to exploit infrastructure vulnerabilities; instead, they exploit trust relationships between services. Once an OAuth token is granted, it can provide persistent and often over-privileged access, especially if organizations lack strict controls over third-party app integrations. The more concerning detail here is the mention of unencrypted credentials in internal systems. That turns what could have been a contained identity compromise into a broader data exposure event.

Organizations need to treat OAuth integrations as privileged access, enforce least privilege, continuously audit connected apps, and implement controls like device-bound sessions and conditional access. Otherwise, these types of “indirect breaches” will continue to scale faster than traditional defenses can handle.”’

Lotem Finkelstein, VP Research at Check Point, offered the following commentary:

“This is not a theoretical risk but an active security incident involving a widely used library, which significantly increases the potential impact. Given its broad adoption, even a single compromise can quickly translate into large-scale exposure across organizations, so organizations need to make sure the right security measures are in place to prevent any exposure related to this library.

What makes incidents like this particularly challenging is the lack of immediate visibility — many organizations are not fully aware of where and how such dependencies are embedded across their environments, which can delay detection and response at scale.”

SOCRadar also offered the following analysis – Vercel Breach: Hacker Claims to Sell Stolen Data in Potential Global Supply Chain Attack

UPDATE: Yagub Rahimov, CEO of Polygraf AI adds this:

“One employee. One AI app. “Allow All.” That’s how Vercel got breached.

The employee signed up for Context AI’s app using their enterprise account and gave broad Google Workspace permissions. When that OAuth token was stolen, the attacker didn’t need credentials, didn’t need to bypass MFA – they just used a valid token doing exactly what it was allowed to do. The Salesloft-Drift breach in late 2025 worked the same way – attackers stole OAuth tokens from an integration provider and rode trusted connections straight into hundreds of customer environments without triggering a single login alert. The technical problem is that OAuth tokens granted to third-party apps are outside most organizations’ detection scope. They don’t appear in login logs. They don’t trigger MFA prompts. Context AI was compromised a month before anyone at Vercel knew there was a problem – and CrowdStrike apparently didn’t flag the OAuth tokens as part of their investigation scope. The token just kept working, silently, with whatever permissions the employee gave it on day one. It’s the same problem we see all the time at Polygraf AI – AI tools quietly holding OAuth access to corporate accounts that nobody is watching. The breach surface is not your perimeter anymore. It’s every OAuth grant your employees ever clicked through.”

UPDATE #2:  Fredrik Almroth, co-founder and security researcher at Detectify had this to say:

“The Vercel breach is a stark reminder that modern security risks don’t stop at the boundaries of your own systems. They extend to every tool and service your organization is connected to.

What we’re seeing here is a pattern that’s becoming alarmingly common: a sophisticated attacker found a smaller, less-scrutinized part of Vercel’s ecosystem – a third-party AI productivity tool – compromised it, and used that foothold to take over an employee’s corporate account and move into Vercel’s internal systems. There was no need to go after Vercel directly,  to use brute force, or sophisticated technical knowledge.

The practical lesson is to focus less on the label of the tool involved and more on the access chain: which external apps are connected to employee accounts, what those apps are allowed to do, what internal systems those accounts can reach, and whether sensitive credentials would still be exposed if that chain of trust broke.

That’s a blind spot many organizations still have. They’ve got a reasonable handle on their known vendors, but the web of third-party tools that employees connect to their work accounts organically, tool by tool, often without a formal approval process, is a different thing entirely. It’s rarely tracked, rarely reviewed, and almost never reconsidered when something goes wrong elsewhere. That’s the gap this incident exposes.

The organizations that develop real visibility into what’s connected to their systems (and what those connections can actually reach) will be the ones that catch these intrusions before an attacker decides to go public.”