App host Vercel says it was hacked and customer data stolen

Cloud app hosting giant Vercel this weekend said hackers had breached its internal systems and accessed customer data. Hackers have claimed they have stolen sensitive customer credentials from Vercel’s systems and are selling the data online.

In a statement on Sunday, Vercel said the breach originated from another software maker, Context AI. One of Vercel’s employees downloaded an app made by Context AI and connected it to their corporate account, which is hosted by Google. The hackers used that connection (known as OAuth) to take over the Vercel employee’s Google account and gain access to some of Vercel’s internal systems, including credentials that were not encrypted.

Vercel says its Next.js and Turbopack projects were not affected by the breach. Both open source projects are widely used by web and app developers.

Vercel said it has contacted customers whose app data and keys were compromised.

In a post on X, Vercel chief executive Guillermo Rauch advised customers to rotate any keys and credentials in their app deployments that are marked as “non-sensitive.”

It’s not clear who is behind the breach at Vercel or Context AI, or if they are the same hacker. The threat actor selling the data claimed to be representing the ShinyHunters hacking group in their listing on a cybercriminal forum. The post, seen by TechCrunch, claimed the hackers were selling access to customer API keys, source code, and database data stolen from Vercel.

The ShinyHunters hacker group, known for breaching cloud-based and database companies, told cybersecurity news site Bleeping Computer that they are not involved in this incident.

A spokesperson for Vercel did not say how many customers could be affected, but said that the company has not received any communication from the threat actor, such as a demand for ransom.

While details of the hack are still emerging, this security breach is the latest in a string of “supply chain” hacks in recent months that have targeted software developers whose code is widely used across the web. By compromising software that’s widely used by companies and supports web infrastructure, hackers can steal credentials from a broad range of targets at once and gain further access to large amounts of data stored by other cloud giants.

Vercel said little else about the attack, except that it was investigating the incident and had sought answers from Context AI. Vercel said the hack may affect “hundreds of users across many organizations,” and not just its own system, warning of potential downstream breaches spanning the tech industry.

Context AI, which builds evaluations and analytics for AI models, confirmed on its website that it had a breach in March involving its Context AI Office Suite consumer app. The app allows users to automate actions and workflows across multiple third-party applications by way of an unnamed third-party service.

Context AI said it notified one customer of the breach, but based on Vercel’s incident, it now believes that the incident is likely broader than first thought. Context AI said the hackers “likely compromised OAuth tokens for some of our consumer users.”

Context AI did not respond to a request for comment or questions about the breach. It’s unclear why Context AI did not disclose the breach at the time, or if the company received any demands from the hacker, such as a ransom.

Corrected to remove a reference to an unrelated Context AI whose staff were acquired by OpenAI. Updated with comment from Vercel.

Topics

context ai, cyberattack, cybersecurity, data breach, OpenAI, Security, shinyhunters, Vercel

Zack Whittaker

Security Editor

Zack Whittaker is the security editor at TechCrunch. He also authors the weekly cybersecurity newsletter, this week in security.

He can be reached via encrypted message at zackwhittaker.1337 on Signal. You can also contact him by email, or to verify outreach, at zack.whittaker@techcrunch.com.

View Bio

April 30

San Francisco, CA

StrictlyVC kicks off the year in SF. Get in the room for unfiltered fireside chats with industry leaders, insider VC insights, and high-value connections that actually move the needle. Tickets are limited.

REGISTER NOW

Most Popular

-

Blue Origin’s New Glenn put a customer satellite in the wrong orbit during its third launch

- Sean O'Kane

-

Palantir posts mini-manifesto denouncing inclusivity and ‘regressive’ cultures

- Anthony Ha

-

‘Tokenmaxxing’ is making developers less productive than they think

- Tim Fernholz

-

Anthropic launches Claude Design, a new product for creating quick visuals

- Aisha Malik

-

Physical Intelligence, a hot robotics startup, says its new robot brain can figure out tasks it was never taught

- Connie Loizos

-

Anthropic CPO leaves Figma’s board after reports he will offer a competing product

- Tim Fernholz

-

After sale of its shoe busi