-
A notorious hacking group, ShinyHunters, breached Vimeo through third-party analytics provider Anodot, accessing Google BigQuery and Snowflake cloud instances – set a deadline for ransom payment.
-
Vimeo confirmed the incident and disabled all Anodot-related credentials, but stated that video content, login credentials, and payment information remained secure throughout the breach.
-
ShinyHunters has an extensive history of major data extortion, having previously targeted Ticketmaster, Santander, Microsoft, AT&T, and dozens of Fortune 500 companies since 2020.
A major security breach has been attributed to the infamous ShinyHunters hacking group at Vimeo, the widely used video hosting service. The group alleged that they accessed Vimeo’s Google BigQuery and Snowflake cloud-based storage through a third-party analytics provider named Anodot.
Vimeo is estimated to have over 287 million users globally and the hackers gave it until April 30, 2026, to pay an extortion fee or face public exposure of the data. If Vimeo refuses to pay, the group promises to release the stolen information along with causing additional digital problems for the platform.
The breach appears to be part of a larger supply chain attack targeting Anodot, an AI-powered business monitoring firm that multiple companies use for data analytics. Security researchers report that at least twelve organizations may have suffered similar data theft through this same vulnerability.
Hackers Exploited Third-Party Analytics Provider Anodot
ShinyHunters gained access by stealing authentication tokens from Anodot, not by directly breaking into Vimeo’s core systems.
Using the stolen tokens, the attackers successfully impersonated legitimate connections to Anodot used to retrieve data from the Vimeo cloud-based databases.
This methodology allows criminals to avoid detection through abuse of already established business relationships between organizations and their vendors.
Vimeo responded quickly upon discovering the incident. The company disabled all Anodot-related credentials and removed the integration from its systems entirely.
Vimeo has contracted independent cybersecurity specialists to investigate the breach and limit the continued exposure of compromised data, the company has also alerted law enforcement authorities about the breach.
Further, Vimeo confirmed that video content, login credentials, and payment information remained secure, but the exposed data includes technical information, video titles, metadata, and some customer email addresses.
However, security experts warn that even this limited exposure carries some risks, it could enable phishing attacks against affected users.
ShinyHunters has a Long History of Major Data Extortion
ShinyHunters first gained widespread attention in the early 2020s when the group offered over 200 million stolen user records for sale on dark web markets.
The group targeted major companies including Tokopedia, Wattpad, Microsoft, and AT&T, during that initial spree. Two years ago, a member of ShinyHunters, a French citizen, received a jail sentence of three years and restitution payment of more than $5 million in an American federal court.
The group has developed its cyber activities dramatically. Rather than using encryption as their primary method of attack, ShinyHunters have turned to traditional methods of extortion, stealing accounts and threatening to release the account if the victim doesn’t pay a ransom.
In doing this they have also formed operational overlap with Scattered Spider, their primary competitors, resulting in a much more expansive operation.
The Anodot breach fits this pattern perfectly. Attackers compromised the Israeli analytics firm, then used that access to extort multiple customers, including Vimeo and Rockstar Games, showing how ShinyHunters leverages supply chain vulnerabilities for maximum extortion leverage.
In June last year, ShinyHunters claimed responsibility for breaching Ticketmaster and Santander, the hackers stole hundreds of millions of customer records. The group also executed a massive Salesforce campaign using voice phishing to gain unauthorized access to cloud applications across multiple industries, their victim list now includes major brands like Adidas, LVMH, Cisco, and Air France-KLM.
Vimeo Users Should Keep an Eye Out for Phishing Attempts
Security experts have advised users of Vimeo to remain cautious when reviewing unsolicited emails, especially from their Vimeo. Attackers could use stolen emails to send out phishing emails to either gain access to users’ login credentials or install malware. Also, users should enable multi-factor authentication to protect their accounts and watch for any suspicious activity.
According to Vimeo, the breach didn’t affect their primary systems, so there were no service interruptions. User authentication data and payment information remain secure, and Vimeo is currently still investigating the breadth of the breach. They will provide further updates to their notice to make available additional information regarding the incident.
This breach represents the third significant company to record its data exfiltration via the Anodot vulnerability. Rockstar Games and Inditex (owner of Zara) have also faced extortion threats from ShinyHunters as the group compromised similar cloud data.
Also, this incident illustrates how both third-party vendors and supply chain attacks pose an increasing threat and risk to large-scale data breaches through attackers using them as a point of entry into the organizations that suffer from documented large-scale data breaches.
