- Vercel expanded its investigation into the breach and confirmed more compromised accounts than initially reported.
- Researchers linked the attack to a Context.ai account infected with the Lumma Stealer malware, which was used to access Vercel environments.
- A dark web actor attempted to sell stolen Vercel data and claimed ties to ShinyHunters, though the group denied involvement.
The number of customers affected by the latest breach at Vercel is higher than first thought, as the company confirmed finding even more compromised accounts.
Earlier this week, the cloud development platform confirmed it suffered a cyber attack and lost “non-sensitive” customer data. In the initial report, Vercel said one of its employees used a third-party AI tool called Context.ai, which appears to have been used as an entry point.
“The incident occurred with a compromise of Context.ai,” the company said, claiming the attacker used that access to take over the employee’s Google Workspace account. In doing so, they gained access to some Vercel environments and environment variables “that were not marked as ‘sensitive.’
The article continues below
Infected after downloading “game hacks”
During a more thorough investigation, Vercel expanded his list of compromise indicators. As a result, it found even more accounts exposed. It also said it found a “small number” of customer accounts with evidence of proper compromise before this attack. These, the company believes, are the result of social engineering or malware attacks.
It said it was notifying those affected, but declined to say how many people were affected.
In his own investigation, security researchers Hudson Rock found that the Context.ai user was infected with the Lumma Stealer infostealer in February 2026, after searching for exploits for Roblox.
“We now understand that the threat actor has been active beyond the startup’s compromise,” Vercel CEO Guillermo Rauch said on X. “Threat intelligence points to the distribution of malware to computers in search of valuable tokens as keys to Vercel accounts and other providers.”
Just a day before Vercel announced the breach, someone tried to sell the archive on a dark web forum. “Greetings everyone. Today I am selling Access Key/Source Code/Database from Vercel,” said the attacker. They claimed to be part of the ShinyHunters team, which the group denied.
Via Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
