AI cloud company Vercel breached after employee grants AI tool unrestricted access to Google Workspace — hacker seeking $2 million for stolen data

Vercel, the cloud platform behind the widely used Next.js web framework, has acknowledged a security breach after an attacker compromised a third-party AI tool called Context.ai and used it to gain access to a Vercel employee's enterprise Google Workspace account.

The breach exposed non-sensitive environment variables, and a threat actor operating under the ShinyHunters name has claimed responsibility, reportedly seeking $2 million for the stolen data. Vercel said it has engaged Google-owned incident response firm Mandiant, notified law enforcement, and contacted a limited subset of affected customers directly.

According to Vercel’s bulletin, the breach didn’t start with them but instead with Context.ai, an enterprise AI platform that builds agents trained on company-specific knowledge. At least one Vercel employee had signed up for Context.ai's AI Office Suite using their corporate account and granted it "Allow All" OAuth permissions, Context.ai explained in its own security notice, which says that “Vercel’s internal OAuth configurations appear to have allowed this action to grant these broad permissions in Vercel’s enterprise Google Workspace.” The attacker exploited that broad access to take over the employee's Vercel Google Workspace account and move laterally into internal systems.

Article continues below

Cybersecurity firm Hudson Rock claims to have traced Context.ai's own compromise back further to an employee infected by Lumma Stealer malware after downloading Roblox game exploit scripts in February. The stolen credentials reportedly included Google Workspace logins along with keys for Supabase, Datadog, and Authkit, Hudson Rock reported, but Vercel hadn’t independently confirmed this at the time of writing.

Context.ai also acknowledged that it detected and blocked unauthorized access to its AWS environment in March, but said it later learned the attacker had also compromised OAuth tokens for some consumer users.

Vercel described the attacker as "highly sophisticated based on their operational velocity and detailed understanding of Vercel's systems.” The company said environment variables marked as "sensitive" are encrypted at rest and were not accessed, but that variables stored without that designation should be treated as potentially exposed. The company instructed customers to audit activity logs, rotate any API keys, tokens, or database credentials stored in non-sensitive environment variables, and review recent deployments for anything unexpected.

Vercel has since rolled out new dashboard features, including an overview page for environment variables and an improved interface for managing sensitive variable settings. CEO Guillermo Rauch said on X that the company had analyzed its supply chain and confirmed that Next.js, Turbopack, and its other open source projects weren’t affected.

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.