← Back to all posts
Data Breach

Vercel Got Hacked Through an
AI Tool You've Never Heard Of 😱

Millions of developer projects. API keys, database passwords, signing secrets — all at risk. And it started with a tiny AI productivity tool called Context.ai getting a Lumma stealer infection two months earlier. 🔥

📅 Apr 19, 2026 💸 $2M data ransom demanded 🌍 Millions of developers affected 📖 18 min read
Scroll to learn
01

What is Vercel & Why It Matters

If you've ever deployed a Next.js app with a single git push, you've used Vercel. 🚀

Vercel is the cloud platform that powers the deployment of millions of web applications. It's the company behind Next.js — the React framework that runs a huge chunk of the modern web. Companies like Airbnb, TikTok, GitHub, and thousands of startups trust Vercel to host their production apps.

🏗️ Simple Analogy

Think of Vercel like a super-smart landlord for your web app. You hand over your code, and Vercel handles everything else — hosting, scaling, SSL certificates, preview deployments, CDN distribution across the globe. In return, your app lives in Vercel's systems, including its environment — the secrets (API keys, passwords, tokens) your app needs to run.

That last part — the secrets — is exactly what made this breach so serious.

13M+ Developers on Vercel
$2M Demanded by hackers
580+ Employee records exposed
Feb 2026 When the chain started
02

What Happened: The Breach Timeline

This breach didn't happen overnight. It was a slow, methodical supply chain attack that started two months before Vercel even knew anything was wrong. 😣

Feb 2026
🦠 Context.ai Gets Infected
A Context.ai employee with sensitive access privileges is infected by a Lumma stealer — a notorious infostealer malware that silently harvests credentials, session tokens, and OAuth refresh tokens from the victim's machine.
Feb–Apr 2026
🕵️ Attacker Moves Silently
Using stolen tokens, the attacker gains access to Context.ai's Google Workspace OAuth app. This app had been granted deployment-level OAuth scopes by hundreds of organizations — including Vercel — that used Context.ai.
Apr 18, 2026
💥 Vercel Systems Accessed
The attacker leverages the compromised OAuth app to take over a Vercel employee's Google Workspace account. From there, they gain access to Vercel's internal systems and environment variables not marked as "sensitive".
Apr 19, 2026 (Morning)
🗣️ Data Listed for $2 Million
A threat actor claiming to be "ShinyHunters" posts on BreachForums: they have Vercel data — access keys, source code, database data, API keys — and are selling it all for $2 million.
Apr 19, 2026 (Afternoon)
✅ Vercel Confirms the Breach
Vercel confirms the incident publicly, stating it was caused by a third-party AI tool compromise. They engage Mandiant for incident response, notify law enforcement, and advise customers to rotate secrets.
Apr 20, 2026
🔄 Developers Scramble
Web3 and crypto teams using Vercel's Next.js framework frantically rotate API keys and audit their deployments. CoinDesk reports developers "scrambling to lock down API keys."
03

The Attack Chain: How It Really Worked

This is where it gets technically fascinating — and terrifying. 🤔 The attacker never needed to directly hack Vercel. They got in through a side door that nobody was watching.

Step 1: What is Context.ai?

Context.ai is a small enterprise AI platform. It builds AI agents trained on your company's internal knowledge, Slack conversations, docs, workflows. Companies connect it to their Google Workspace so it can read emails, docs, and calendar events to give context-aware AI responses.

Sounds harmless, right? 🤷‍♂️ Here's the problem: when you connect a tool to your Google Workspace, you grant it an OAuth token — a digital pass that says "this app can act on behalf of our org." If that token gets stolen, the attacker can act as your org.

Step 2: What is Lumma Stealer?

Lumma Stealer (also called LummaC2) is one of the most dangerous pieces of malware active today. It's sold as Malware-as-a-Service on dark web forums — meaning anyone with a few hundred dollars can buy and deploy it. It silently:

💀 The Scary Part About Session Tokens: Modern web apps keep you logged in using cookies or tokens stored in your browser. Lumma stealer grabs these. Even if you have 2FA enabled, if your session token is stolen, the attacker is already logged in — no password or 2FA code needed. It's like stealing someone's house key while they're inside.

Step 3: OAuth as a Weapon

OAuth is the "Login with Google" system you see everywhere. Here's how it works normally:

Normal OAuth Flow
User
Clicks "Connect"
Google
Issues Token
Context.ai
Stores Token
Access
Read Org Data

When Context.ai's internal employee got infected by Lumma Stealer, the attacker got the OAuth refresh tokens for Context.ai's Google app. A refresh token is a long-lived credential that lets the app continuously get new access tokens without asking the user again. With that:

Attack Flow
Lumma Stealer
💀 Infects Context.ai employee
OAuth Token Stolen
🔑 Context.ai's Google app token
Vercel Employee Account
🏢 Google Workspace taken over
Vercel Internals
💥 Env vars accessed
🎯 The Core Insight

Vercel never got directly hacked. The attacker got in through a chain: Lumma Stealer → Context.ai employee → Context.ai's OAuth app → Vercel employee's Google account → Vercel's internal systems. This is the definition of a supply chain attack — you're only as secure as the least secure tool in your stack.

The Suspicious OAuth App ID

Vercel published a specific Google OAuth app ID that administrators should check for and revoke:

⚠️ Malicious OAuth App — Check & Revoke
# OAuth Client ID to look for in your Google Workspace admin console
110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com

# Steps to check:
# 1. Google Admin Console → Security → API Controls → App Access Control
# 2. Search for this Client ID
# 3. If found → Revoke access immediately
04

Environment Variables: The Real Target

To understand what was stolen, you need to understand what environment variables are — and why they're the crown jewels of any deployed application. 🔐

🔑 Simple Analogy

Think of your application like a hotel guest. The hotel room is your code. But to actually use the hotel — call room service, open the minibar, get access to the pool — you need a keycard. Environment variables are those keycards. They're the secrets your app needs to connect to databases, payment processors, external APIs, and authentication systems. Without them, your app is just a locked room with no way in.

What Lives in .env Files

Here's a typical .env file for a modern web app — the kind of thing that lives in Vercel's environment store:

🔐 Typical .env file — DO NOT commit to git
# Database
DATABASE_URL=postgresql://user:password@host:5432/mydb

# Payment Processing
STRIPE_SECRET_KEY=sk_live_51AbCdEfGhIjKlMnOpQrStUvWxYz...

# Authentication
NEXTAUTH_SECRET=super-secret-32-char-random-string
JWT_SIGNING_KEY=another-very-secret-key

# Third-party APIs
OPENAI_API_KEY=sk-proj-abc123...
SENDGRID_API_KEY=SG.xxxxxxxxxxxxxxxxxxx
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

# Crypto / Web3
WALLET_PRIVATE_KEY=0xabc123...
ALCHEMY_API_KEY=alch_xxxxxxxxxxxx

If an attacker gets your DATABASE_URL, they can read and write every record in your database. If they get your STRIPE_SECRET_KEY, they can charge customers or steal funds. If they get your WALLET_PRIVATE_KEY, crypto is gone instantly and irreversibly. 😵

Vercel's "Sensitive" vs "Non-Sensitive" Split

Vercel has a feature where you can mark environment variables as "sensitive." Sensitive vars are encrypted at rest and never shown in plaintext — not even to you after saving. The attacker only accessed variables NOT marked as sensitive.

⚠️ The Problem: Most developers don't know about or bother with this distinction. Many high-value secrets like API keys and database URLs sit in Vercel as regular (non-sensitive) env vars because the developer either didn't know better, or found it inconvenient to mark them. If your secrets weren't marked sensitive, they were visible to the attacker.

Before vs After: How to Mark Secrets Properly

✅ Via Vercel CLI — Mark variables as sensitive
# Add a sensitive secret (encrypted, never shown again)
vercel env add DATABASE_URL production --sensitive

# Or via vercel.json
{
  "env": {
    "DATABASE_URL": {
      "value": "@database-url",
      "sensitive": true   // ← This is what protects you
    }
  }
}
05

ShinyHunters & the $2M Dark Web Listing

Before the breach was even publicly confirmed, a post appeared on BreachForums — the internet's most active dark web marketplace for stolen data. 🌑

Who Are ShinyHunters?

ShinyHunters is one of the most notorious hacking groups operating today. Their past hits include:

Here's the twist: known ShinyHunters-linked actors denied involvement in the Vercel breach. Whether that means it's a copycat using their brand, or they genuinely weren't behind it, remains unclear. The name "ShinyHunters" may have been used to demand a higher price — their reputation commands premium ransom. 🤔

What Was Listed for Sale

🗂️ The BreachForums Listing Claimed:
  • 💳 Access keys and API credentials
  • 💾 Source code snippets from internal repos
  • 🗄️ Database records (limited)
  • 🔑 Access to internal deployments
  • 👤 ~580 Vercel employee records (name, email, account status)
  • 💰 Price: $2,000,000

A sample data file was shared publicly to prove the breach was real. It contained ~580 records of Vercel employee information. This is a standard hacker tactic — post a small sample to prove authenticity, then sell the full dump.

🎯 Why $2 Million?

Vercel hosts millions of developer projects. Anyone with access to production environment variables could potentially compromise thousands of downstream applications — databases, payment processors, crypto wallets. The attacker isn't just selling Vercel's data. They're selling access to every app deployed on Vercel whose secrets weren't properly protected. The multiplier effect is massive.

06

Developer Impact & Crypto Chaos

For most enterprise software breaches, the impact stays contained. This one cascaded hard — especially in the Web3 and crypto world. 💥

Why Crypto Teams Were Hit Hardest

Crypto and DeFi applications typically store incredibly sensitive values in environment variables:

💀 The Irreversibility Problem: If a hacker drains a bank account, banks have fraud protection, chargebacks, and insurance. If a hacker drains a crypto wallet using a stolen private key — it's gone. Forever. No recourse. No reversal. This is why CoinDesk reported developers "scrambling to lock down API keys" within hours of the breach becoming public.

The Cascading Effect

How One Breach Becomes Many
Vercel Breach
Env vars exposed
Your App's Secrets
DB creds, API keys
Your Database
User data, transactions
Your Users
💥 Downstream victims

You didn't do anything wrong. Your code was fine. But because your app lived on Vercel and your secrets weren't marked sensitive — your users are now potentially at risk. This is the brutal nature of supply chain attacks: the victim of the breach isn't necessarily the one who made the mistake.

Who Was Actually Affected?

Vercel stated a "limited subset" of customers was affected and is reaching out to them directly. The company did not publish exact numbers, which is standard practice during active incident investigation. However, the affected group likely includes any customer whose:

07

Vercel's Response

Within hours of the breach being confirmed, Vercel moved fast. Here's what they did: ✅

Hour 1
🔒 Access Revoked
The compromised employee account was locked. The Context.ai OAuth app had its access revoked across Vercel's Google Workspace. All internal sessions were invalidated.
Hour 2
🔎 Mandiant Engaged
Vercel brought in Google's Mandiant — one of the world's top incident response firms — to conduct a forensic investigation and scope the full extent of the breach.
Hour 3
📢 Public Disclosure
Vercel published a security bulletin at vercel.com/kb/bulletin/vercel-april-2026-security-incident — a notably fast disclosure compared to industry norms.
Hour 4
📧 Customer Notifications
Affected customers received direct notifications with instructions to rotate environment variables and secrets, along with specific guidance on which variable types were at risk.
Ongoing
⚖️ Law Enforcement
Vercel is working with law enforcement agencies. The FBI and relevant agencies have been notified, which is standard procedure for breaches of this scale.

What Vercel Said About Sensitive Variables

Vercel's official statement clarified an important technical detail:

✅ Vercel's Confirmation: "Environment variables marked as 'sensitive' are stored in an encrypted manner that prevents them from being read. There is currently no evidence suggesting that those values were accessed by the attacker."

This is significant — it means the damage wasn't as catastrophic as it could have been. If all environment variables had been exposed, this could have been one of the worst developer infrastructure breaches in history. The sensitive flag saved a lot of developers from a very bad day.

What Vercel Is Changing

Beyond the immediate response, Vercel is implementing:

08

Key Takeaways & What You Should Do Now

Let's turn this incident into something useful. Here's what every developer and engineering team should walk away with. 💪

🔴 Immediate Actions (Do These Today)

1. Rotate Your Vercel Secrets Now

Even if you weren't notified, rotate environment variables for any project deployed on Vercel. Focus on: database credentials, API keys, JWT/session secrets, payment processor keys, and any signing keys.

🔄 Rotate Secrets Checklist
# Generate new secrets
NEXTAUTH_SECRET=openssl rand -base64 32
DATABASE_PASSWORD=# Rotate in your DB provider's dashboard
STRIPE_SECRET_KEY=# Roll in Stripe dashboard → API Keys
JWT_SECRET=openssl rand -hex 64

# Update in Vercel
vercel env rm NEXTAUTH_SECRET production
vercel env add NEXTAUTH_SECRET production --sensitive

# Redeploy
vercel --prod

🟡 Short-Term (This Week)

2. Mark All Secrets as Sensitive in Vercel

Go to your Vercel project settings → Environment Variables. For every variable containing credentials, keys, tokens, or passwords — mark it as sensitive. This single action dramatically reduces your blast radius in future incidents.

3. Audit Your Third-Party OAuth Connections

Check Google Admin Console → Security → API Controls for all connected apps. Remove any you don't recognize or no longer use. Every OAuth app you've authorized is a potential attack surface. Revoke the specific malicious app ID: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com

4. Use a Secrets Manager Instead of .env

Tools like HashiCorp Vault, AWS Secrets Manager, or Doppler store secrets with access controls, audit logs, and automatic rotation. When a breach happens at the hosting level, your secrets in a dedicated secrets manager are protected by an entirely separate access control layer.

🟢 Long-Term (Best Practices)

💡 Lesson 5: Treat Every Third-Party Tool as a Potential Attack Vector

Context.ai had read access to Google Workspace — calendar, emails, documents. That's an enormous scope for an AI productivity tool. Before granting any tool OAuth access, ask: What's the minimum scope this tool needs? What happens if this tool gets compromised? Principle of least privilege applies to SaaS integrations too.

💡 Lesson 6: Infostealers Are a Tier-1 Threat

Lumma Stealer doesn't need to break through firewalls or exploit zero-days. It sits on an employee's laptop and silently harvests everything. Endpoint Detection and Response (EDR) tools, browser extension audits, and regular employee security training are non-negotiable for companies that hold sensitive infrastructure access.

💡 Lesson 7: Supply Chain Trust Must Be Earned, Not Assumed

Vercel didn't fail — their direct systems were secure. What failed was the implicit trust given to a third-party tool. The modern developer stack has dozens of integrations: CI/CD tools, monitoring, analytics, AI assistants. Each one is a trust relationship. A breach in any of them can cascade into your systems. Map your integrations. Review their access. Revoke what you don't need.

💡 Lesson 8: Crypto Apps Need Extra Paranoia

If your app handles blockchain transactions or stores wallet keys in environment variables — consider whether those keys should ever exist in a cloud platform's environment store at all. Hardware security modules (HSMs), threshold signature schemes (TSS), and multi-party computation (MPC) wallets exist precisely to ensure that no single server breach can drain a wallet.

09

References & Resources

📰 Official Sources

📊 Coverage & Analysis

🛠️ Security Resources

Found this helpful? Share it! 🚀