Vercel breach: Hacker demands $2M ransom from cloud development platform
What's the story
Leading cloud development platform, Vercel, has confirmed a recent security breach. The company revealed that the attack was initiated via a compromised third-party artificial intelligence (AI) tool. Although the incident has affected a small number of its customers, it could have far-reaching consequences given Vercel's high-profile clientele including OpenAI, Cursor, Pinterest, and Bose.
Attack details
Hacker claims to be part of ShinyHunters group
The hacker behind the attack, who claims to be affiliated with the notorious ShinyHunters group, is selling data stolen from Vercel for $2 million. The group has been in the news lately for targeting Rockstar Games, makers of Grand Theft Auto (GTA). The hackers have alleged that the data they stole could be used to launch a major global supply chain attack.
Company actions
Urgent advisory for Vercel customers
In light of the security breach, Vercel has urged its customers to check their environment variables for sensitive information and rotate secrets if necessary. The company has also released updates to its dashboard, including a new interface for managing sensitive environment variables. Despite the incident, Vercel's core services remain unaffected as it works with impacted customers and informs law enforcement agencies about the matter.
Information security
Attack initiated from 3rd-party AI tool
The company clarified that the attack came from a compromised third-party AI tool used by an employee. The hackers gained access to the employee's Google Workplace account via this tool and then accessed some of Vercel's environment variables. These are stored outside an app's code and tell an app how to function. However, Vercel claims that only non-sensitive variables were accessed by the hackers in this incident.
Potential threat
ShinyHunters denied claims
The hacker, who claims affiliation with ShinyHunters, has shared a text file containing information about Vercel employees, 580 data records including names, email addresses, account status, and activity timestamps. They also claimed to have verified access keys for a potential global supply chain attack. However, the ShinyHunters group has denied these claims according to Bleepingcomputer's report.