- Vercel expanded its breach investigation, confirming more compromised accounts than initially reported.
- Researchers linked the attack to a Context.ai account infected with Lumma Stealer malware, which was used to access Vercel environments.
- A dark web actor attempted to sell stolen Vercel data, claiming ties to ShinyHunters, though the group denied involvement.
The number of customers affected by the recent breach at Vercel is bigger than initially thought, as the company confirmed finding even more compromised accounts.
Earlier this week, the cloud development platform confirmed suffering a cyberattack and losing “non-sensitive” customer data. In the initial report, Vercel said one of its employees used a third-party AI tool called Context.ai, which seems to have been used as an entry point.
“The incident originated with a compromise of Context.ai” the company said, claiming that the attacker used that access to take over that employee’s Google Workspace account. Through that, they gained access to some Vercel environments and environment variables “that were not marked as ‘sensitive’.
Article continues below
Infected after downloading “game hacks”
During a more thorough investigation, Vercel expanded its list of compromise indicators. As a result, it found even more accounts that were exposed. It also said it found a “small number” of customer accounts with evidence of proper compromises, predating this attack. These, the company believes, are the result of social engineering, or malware attacks.
It said it notified the affected individuals but did not want to say how many people were affected.
In its own investigation, security researchers Hudson Rock found that the Context.ai user was infected with the Lumma Stealer infostealer in February 2026, after searching for exploits for Roblox.
“We now understand that the threat actor has been active beyond that startup’s compromise,” Vercel CEO Guillermo Rauch said on X. “Threat intel points to the distribution of malware to computers in search of valuable tokens like keys to Vercel accounts and other providers.”
Just a day before Vercel announced the breach, someone tried selling the archive on a dark web forum. “Greetings all. Today I am selling Access Key/Source Code/Database from Vercel,” the attacker said. They claimed to be part of the ShinyHunters team, which the group denied.
Via The Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
https://cdn.mos.cms.futurecdn.net/NGKiUcJVFBC8HkMp9dTo9a-1920-80.jpg
Source link
