Vercel Confirms Unauthorized Access to Internal Systems
Cloud development platform Vercel has officially acknowledged a security incident following claims by a threat actor who says they breached the company's systems and are now attempting to sell the stolen data. The disclosure came via a security bulletin published on April 19, 2026.
Vercel is a widely used cloud platform offering hosting and deployment infrastructure, with a particular focus on JavaScript frameworks. The company is the creator of Next.js, a popular React-based web framework, and provides services including serverless functions, edge computing, and CI/CD pipelines that help developers build, preview, and ship applications at scale.
What Vercel Has Officially Said
In its security bulletin, Vercel confirmed that a limited subset of its customers was affected by the incident. The company stated:
"We've identified a security incident that involved unauthorized access to certain internal Vercel systems. We are actively investigating, and we have engaged incident response experts to help investigate and remediate. We have notified law enforcement and will update this page as the investigation progresses."
Vercel emphasized that its core services have not been impacted and that the company is working directly with affected customers. As a precautionary measure, Vercel is advising customers to review their environment variables, make use of the platform's sensitive environment variable feature, and rotate secrets where necessary.
Threat Actor Claims and Forum Post Details
The company's disclosure follows a post on a well-known hacking forum by a threat actor claiming to be affiliated with the ShinyHunters group. In that post, the individual alleged they had successfully breached Vercel and were offering access to stolen company assets for sale.
The data allegedly being sold includes:
- Access keys and API keys
- Source code repositories
- Database data
- Access to internal deployments
- NPM tokens and GitHub tokens belonging to employees
The attacker's forum post stated: "This is just from Linear as proof, but the access I'm about to give you includes multiple employee accounts with access to several internal deployments, API keys (including some NPM tokens and some GitHub tokens)."
It is worth noting that while the forum poster claims to be part of ShinyHunters, threat actors linked to recent attacks attributed to the ShinyHunters extortion gang have separately told BleepingComputer that they are not involved in this particular incident.
Employee Data and Internal Dashboard Allegedly Exposed
Beyond the forum post itself, the attacker shared a text file containing information on 580 Vercel employees. The records reportedly include names, Vercel email addresses, account status, and activity timestamps. Additionally, the threat actor circulated what appeared to be a screenshot of an internal Vercel Enterprise dashboard.
BleepingComputer has stated that it was unable to independently verify the authenticity of either the data file or the screenshot.
Alleged $2 Million Ransom Demand
In messages shared via Telegram, the threat actor also claimed to have been in direct communication with Vercel about the breach. According to those messages, the attacker discussed an alleged ransom demand of $2 million with the company.
BleepingComputer reached out to Vercel with follow-up questions regarding whether any sensitive data or credentials were exposed, and whether the company is engaged in negotiations with the attackers. The publication stated it would update its reporting upon receiving a response.
Context and Ongoing Investigation
This incident adds Vercel to a growing list of technology and cloud platform companies that have faced extortion-style breaches in recent months. The involvement — or claimed involvement — of ShinyHunters is notable, given the group's history of high-profile breaches targeting major technology firms and data repositories.
For developers and organizations relying on Vercel's infrastructure, the potential exposure of API keys, GitHub tokens, and NPM tokens is particularly concerning, as these credentials can serve as entry points into downstream systems, repositories, and software supply chains. Vercel's recommendation to rotate secrets and review environment variable configurations is a critical first step for any potentially affected customer.
The investigation remains active, with incident response experts engaged and law enforcement notified. Vercel has committed to updating its security bulletin as new information becomes available.
Source: BleepingComputer