Vercel Data Breach Linked to Earlier Context.ai Compromise
6 Best MVP Developers For Cybersecurity Startups and Enterprises
Hackers were able to leverage the compromise of agentic AI company Context.ai in February to take over a Google Workspace account of a Vercel employee and gain access into the company’s systems and steal customer data that is now being put up for sale on underground forums for $2 million.Vercel executives wrote in a bulletin over the weekend that its employee was using Context.ai’s AI tool and “the attacker used that access to take over the employee’s Vercel Google Workspace account, which enabled them to gain access to some Vercel environments and environment variables that were not marked as ‘sensitive.’”Data and other “environmental variables” marked as sensitive are stored in a way that prevents them from being read and the company so far has no evidence that such data was access, they wrote.The executives wrote that they’d identified a “limited subset of customers” whose Vercel credentials were compromised, and that the company had contacted those customers and recommended they immediately rotate their credentials.New Security Capabilities“In response to this, and to aid in the improvement of all of our customers’ security postures, we’ve already rolled out new capabilities in the dashboard, including an overview page of environment variables, and a better user interface for sensitive env var creation and management,” Vercel CEO Guillermo Rauch wrote in a post on X. “All of our focus right now is on investigation, communication to customers, enhancement of security measures, and sanitization of our environments. We’ve deployed extensive protection measures and monitoring.”Vercel operates a widely popular frontend cloud platform used by millions of developers use to deploy, host, and scale web applications. It also is the maintainer of the Next.js, the React web development framework. Rauch wrote that “my advice to everyone is to follow the best practices of security response: secret rotation, monitoring access to your Vercel environments and linked services, and ensuring the proper use of the sensitive env variables feature.”Help From MandiantThe company is working with Google’s Mandiant cybersecurity business and other security firms, as well as law enforcement. In addition, Vercel has contacted Context.ai to get an understanding of its compromise earlier this year.The high-profile ShinyHunters hacker and extortion group is claiming responsibility for the attack on Vercel, claiming online that “this could be the largest supply chain attack ever if done right” and asking for $2 million for the stolen data.Rauch didn’t attribute the attack to any hackers, writing that “we believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI. They moved with surprising velocity and in-depth understanding of Vercel.”So far, Vercel’s investigation has found that the intrusion originated from the Context.ai tool compromise and is recommending Google Workspace administrators and Google account owners check for the OAuth app 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com.Tracing It Back to Context.aiVercel executives aren’t releasing more details about the number of customers affected or the systems breached. However, more information is coming from other sources.According to researchers with cybersecurity firm Hudson Rock, an employee with Context.ai who had sensitive access privileges was compromised in February by the Lumma stealer malware when they were searching for and downloading game exploits, writing in a report April 20 that “these types of malicious downloads are notorious vectors for Lumma stealer deployments.”“This single infection led to a massive amount of corporate credentials falling directly into the hands of hackers,” they wrote. “Threat actors like ShinyHunters, who frequently target enterprise environments, are well-known to abuse exactly these types of compromised access points to facilitate deeper network intrusions.”OAuth Configurations a WeaknessIn a security notice this weekend, Context.ai executives wrote about an incident last month in which the company detected, identified, and blocked an attempt to access its cloud environment on Amazon Web Services, and subsequently discovered that the attacker also likely compromised OAuth tokens for some consumer users.“We also learned that the unauthorized actor appears to have used a compromised OAuth token to access Vercel’s Google Workspace,” they wrote. “Vercel is not a Context customer, but it appears at least one Vercel employee signed up for the AI Office Suite using their Vercel enterprise account and granted ‘Allow All’ permissions. Vercel’s internal OAuth configurations appear to have allowed this action to grant these broad permissions in Vercel’s enterprise Google Workspace.”Vulnerable Third-Party IntegrationsAnalysts with MLQ.ai, an AI-powered investment research platform, wrote in a research note that the Vercel incident “underscores vulnerabilities in third-party AI integrations, particularly those with broad OAuth scopes in enterprise environments.”“Context.ai’s compromise allowed lateral movement from an employee tool to core systems, highlighting how AI platforms trained on internal knowledge amplify risks when breached,” they wrote. “Non-sensitive environment variables, intended to aid developers, became an unintended exposure point, prompting Vercel to review this feature. This incident reveals a pattern where AI tools accelerate attacks, as CEO Rauch noted. … Supply chain risks are evident, especially for platforms like Vercel hosting crypto and web3 projects dependent on its infrastructure.”The attack didn’t target core code like Next.js, but instead “exposed frontend deployment dependencies, creating overlooked attack surfaces beyond traditional monitoring,” they added.
About Author
