Vercel breach indicates larger issue of outdated security

Put the danger in context.

That’s the message to customers from cloud platform Vercel after threat actor ShinyHunters breached the company’s system and absconded with user data.

Attackers gained access to a Vercel employee’s credentials via AI platform Context.ai’s Google Workspace OAuth app, which was breached in 2024. The way permissions for API Key applications are set up means that attacks like this can often see high success rates. While Vercel stores its information “fully encrypted at rest,” as CEO Guillermo Rauch detailed in a post on X, the breach was still significant.

“We have numerous defense-in-depth mechanisms to protect core systems and customer data,” Rauch wrote. “We do have a capability however to designate environment variables as ‘non-sensitive.’ Unfortunately, the attacker got further access through their enumeration.”

History lesson. It’s not the first time ShinyHunters has attacked a service provider to access more valuable downstream data, as Keyfactor CTO Ted Shorter told IT Brew in an email. In 2025, the threat actor breached Salesloft Drift, using tokens to access Salesforce data through long-term API keys.

“It’s another indictment of what appears to be the current, standard practice of using long-term keys to set up access between different SaaS apps,” Shorter wrote. “Unfortunately, this is likely going to get worse before it gets better. Companies see the strong business value in connecting systems, and AI is pushing even more adoption of this practice, but these API keys are effectively just ‘fixed passwords.’”

Open-door policy. The API keys, Polygraf AI CEO Yagub Rahimov told IT Brew, are an indication of a broader issue—how to keep yourself secure in a world where solutions are tested, and broken, on a near-daily basis. Google Workspace was the target this time, but the specifics of the app are not unique.

“It’s designed to be a security measure, but the world is changing really, really rapidly,” Rahimov told IT Brew.