-
Vercel has acknowledged a cyberattack where an attacker used a compromised third-party AI tool called Context.ai to take over an employee’s Google Workspace account and access internal systems.
-
A dark web actor takes responsibility and claims ties to ShinyHunters, they are demanding a ransom of $2 million.
-
The company urges customers to rotate credentials and review activity logs immediately, as the company continues investigating what data the attacker may have exfiltrated.
Vercel, a cloud development platform, has reported a cyberattack that resulted in stolen customer info, through a recent security bulletin. An unidentified hacker accessed Vercel’s network infrastructure this weekend, compromising its internal system.
The breach came to light just one day before a dark web actor posted an advertisement selling stolen Vercel data, including source code and employee records.
Vercel assured customers that its services remain operational. The company has also deployed extra protection measures and monitoring. Vercel notified law enforcement and brought in incident response experts, including Mandiant, to help investigate the breach.
Attacker Used Third-Party AI Tool as Entry Point
A compromise of Context.ai, a third-party AI used by a Vercel team member, led to the breach of Vercel’s network. The attacker then successfully accessed that user’s Google Workspace account and gained access to certain Vercel environments and related variables, some of which Vercel had not flagged as “sensitive data”.
Vercel believes that the attacker is very sophisticated, having the skills and experience to be able to launch such a successful attack. The company reached this conclusion based on how quickly the attack occurred and the attacker’s level of knowledge of Vercel systems. This attack appears to be an instance of a supply chain attack where hackers are utilizing a smaller vendor to attack a larger victim.
Vercel explained that environment variables highlighted as “sensitive” in its system remain saved in a way that prevents anyone from reading them. The company currently has no evidence that attackers accessed those sensitive values.
Vercel also published an indicator of compromise to help the wider community investigate potential malicious activity in their environments. The indicator points to a specific OAuth app connected to Google Workspace.
Dark Web Actor Claims ShinyHunters Link and Asks for $2 Million
Just one day before Vercel shared its security bulletin, a new thread appeared on a dark web forum. BleepingComputer first reported the listing. The threat actor claimed to be selling access keys, source code, and a database from Vercel.
The hacker also shared a text file containing Vercel employee information. The document itself contained 580 records related to the company’s employees, such as names, email addresses, account statuses and time stamps for activity.
This person stated they are requesting $2 million in order for them to destroy the data and not release it publicly as an extortion scheme and that they are a member of an organization known as “ShinyHunters”.
While ShinyHunters has previously launched high-profile incidents involving companies such as Rockstar Games and Microsoft, the group has made no indication of its involvement in the recent situation. Security investigators advise caution in handling the hacker’s claim of connection to ShinyHunters.
The real ShinyHunters group has been linked to other major breaches, Dutch telecom Odido was hit with a ransom demand following a ShinyHunters breach that exposed millions of customer records, demonstrating that the group’s tactics of data theft and extortion have targeted telecommunications companies as well as cloud platforms like Vercel.
Vercel did not provide any specific number of compromised customers data however, they noted they have contacted all people the breach impacted and advised them to change their passwords immediately.
Also, the company has opened an investigation to determine how much information left their possession, the extent of data the hacker stole and any potential impact to customers’ experiences.
Customers Should Rotate Credentials and Review Activity Logs
Vercel has issued several recommendations for its customers. The company urges users to review the activity logs for their accounts and environments. Customers can access these logs through the dashboard or the command line interface.
Users should also review and rotate their environment variables. If any environment variables contain secrets – such as API keys, tokens, database credentials, or signing keys – that were not marked as sensitive, those values may have been exposed. Customers should rotate them as a priority.
Vercel recommends taking advantage of its sensitive system variables feature in the future. This feature protects secret values from exposure in the future. The company also advises customers to investigate recent deployments for any unexpected or suspicious looking activity. When in doubt, users should delete any questionable deployments.
According to the official Vercel security bulletin, the incident originated from a small third-party AI tool, the Google Workspace OAuth app suffered a broader compromise. This breach may affect hundreds of users across many organizations, not just Vercel customers.
Vercel recommends that Google Workspace administrators and Google account owners check for usage of the specific OAuth app linked in the security bulletin.
