Vercel, a cloud hosting provider widely used by crypto projects, has confirmed a security breach that exposed a “limited” set of customer credentials.
In a blog post on Sunday, the company said it had “identified a security incident involving unauthorized access to certain internal Vercel systems” and is continuing to investigate the scope of the breach.
“Initially, we identified a limited subset of customers whose Vercel credentials were compromised,” the company said, adding that affected users were contacted and advised to rotate their credentials immediately.
The disclosure followed reports on X that a user known as ShinyHunters had posted on the hacking forum BreachForums, allegedly offering Vercel data for $2 million.
According to the post, the attacker claimed to possess access keys, source code, database details and employee accounts tied to internal deployments — data that could potentially be leveraged for a “global supply chain attack.”
Vercel did not directly respond to the claims made in the BreachForums post but described the attacker as “highly sophisticated,” citing their speed and deep understanding of the company’s systems.
According to CEO Guillermo Rauch, the breach began after a Vercel employee was compromised through a third-party AI tool, Context.ai. The attacker then gained access to the employee’s Google Workspace account, which opened the door to parts of Vercel’s internal infrastructure.
Rauch said customer environments are fully encrypted, though certain variables can be marked as “non-sensitive,” which the attacker was able to enumerate to expand their access. He added that the group appeared to be highly advanced and likely leveraged AI to accelerate the attack.
“We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI,” Rauch said, noting their speed and depth of knowledge.
He added that Vercel has since implemented enhanced protections and monitoring, and reviewed its broader supply chain to ensure that projects like Next.js, Turbopack and other open-source tools remain secure.
Rauch also urged users to follow standard security practices, including rotating secrets, monitoring access to Vercel environments and connected services, and properly classifying sensitive environment variables.
