Executive Summary
In April 2026, Vimeo disclosed a data breach affecting approximately 119,000 users, resulting from a compromise at its third-party analytics provider, Anodot. The breach was attributed to the ShinyHunters extortion group, who accessed Vimeo’s Snowflake and BigQuery cloud environments using stolen authentication tokens. The attackers exfiltrated email addresses, video titles, and technical metadata, but did not access uploaded video content, account credentials, or payment card information. Vimeo’s platform operations were not disrupted. The company has disabled all Anodot credentials, removed the service’s integration, and is working with third-party security experts and law enforcement to investigate the incident. The breach highlights the risks associated with third-party integrations in the SaaS and video hosting sector and underscores the importance of supply chain security and rapid deactivation of compromised credentials. All information in this summary is based on verified disclosures from Vimeo and independent security reporting as of April 29, 2026 (BleepingComputer, Penta Security, SecurityWeek).
Technical Information
The Vimeo data breach in April 2026 was the result of a supply chain compromise involving Anodot, a third-party analytics provider. Attackers, identified as the ShinyHunters group, exploited the trust relationship between Vimeo and Anodot to gain unauthorized access to Vimeo’s cloud data environments, specifically Snowflake and BigQuery. The attack leveraged stolen authentication tokens, which are digital credentials used to authenticate and authorize access to cloud services without requiring a password at each use. These tokens were likely obtained through infostealer malware or direct compromise of Anodot’s systems, a method consistent with the broader campaign targeting multiple organizations via SaaS supply chain compromise (Hack The Box).
Once in possession of valid authentication tokens, the attackers authenticated to Vimeo’s Snowflake and BigQuery instances. There is no evidence that the attackers escalated privileges or moved laterally within Vimeo’s own infrastructure; their access was limited to the permissions granted to Anodot’s integration. The attackers enumerated and exfiltrated technical data, video titles, metadata, and some customer email addresses. The tools used for data extraction included custom scripts and DBeaver Ultimate, a database management tool. Data was likely compressed using standard utilities such as GZIP before exfiltration, a common tactic to facilitate large-scale data theft.
The breach did not compromise uploaded video content, account credentials (such as passwords), or payment card information. Vimeo’s operational systems remained unaffected, and there was no disruption to platform services. The attackers, ShinyHunters, subsequently listed Vimeo on their extortion portal and threatened to publish the stolen data unless a ransom was paid by April 30, 2026.
The technical attack chain can be mapped to the following MITRE ATT&CK techniques:
- T1199 (Trusted Relationship): Compromise of Anodot, a trusted third-party, to access Vimeo’s cloud data.
- T1552 (Unsecured Credentials): Theft of authentication tokens from Anodot.
- T1530 (Data from Cloud Storage): Use of tokens to access and enumerate data in Snowflake/BigQuery.
- T1567 (Exfiltration Over Web Service): Exfiltration of data from cloud environments via web protocols.
- T1560.001 (Archive Collected Data: Archive via Utility): Compression of data before exfiltration (inferred from campaign TTPs).
- T1657 (Financial Theft): Ransom demand and threat to publish data.
- T1580 (Cloud Infrastructure Discovery): Use of DBeaver Ultimate and custom tools for database reconnaissance.
The attribution to ShinyHunters is considered high confidence, as the group publicly claimed responsibility, listed Vimeo on their extortion portal, and the tactics, techniques, and procedures (TTPs) match their historical activity. The use of infostealer malware (such as Lumma Stealer) is confirmed in the broader campaign but not specifically cited in the Vimeo disclosures, resulting in medium confidence for this aspect.
The breach underscores the risks inherent in third-party integrations, particularly in the SaaS and video hosting sector, where analytics and monitoring providers often require broad access to cloud data stores. The exposure of email addresses and metadata increases the risk of phishing and targeted attacks against Vimeo users. The incident demonstrates the importance of robust third-party risk management, strong authentication controls (such as multi-factor authentication), and rapid incident response capabilities for organizations leveraging cloud services.
Affected Versions & Timeline
The breach affected Vimeo users and customers whose data was accessible via the Anodot integration with Snowflake and BigQuery. The specific versions of Vimeo’s platform are not detailed in public disclosures; the compromise was not due to a vulnerability in Vimeo’s own software, but rather the result of a third-party supply chain attack.
The verified timeline is as follows: In April 2026, Anodot was breached via stolen authentication tokens. On April 28, 2026, Vimeo publicly disclosed the breach, confirming exposure of user and customer data. On April 29, 2026, security outlets confirmed the breach and its attribution to ShinyHunters. By April 30, 2026, ShinyHunters threatened to publish the stolen data if ransom demands were not met (BleepingComputer, Penta Security, SecurityWeek).
Threat Activity
The threat activity in this incident is characterized by a sophisticated supply chain attack targeting third-party integrations with cloud data environments. The ShinyHunters group, known for large-scale data theft and extortion, exploited the trust relationship between Vimeo and Anodot to obtain authentication tokens. These tokens enabled the attackers to access Vimeo’s Snowflake and BigQuery instances, where they enumerated and exfiltrated technical data, video titles, metadata, and some customer email addresses.
The attackers used tools such as DBeaver Ultimate for database reconnaissance and data extraction, and likely compressed the stolen data before exfiltration. The exfiltrated data was then used as leverage in an extortion attempt, with ShinyHunters threatening to publish the data unless a ransom was paid. This activity is consistent with the group’s historical pattern of targeting SaaS, cloud, and data-rich organizations via supply chain and credential compromise.
There is no evidence that the attackers accessed uploaded video content, account credentials, or payment card information. The attack did not disrupt Vimeo’s platform operations. Vimeo responded by disabling all Anodot credentials, removing the service’s integration, and engaging third-party security experts and law enforcement to investigate the incident.
The broader campaign involving ShinyHunters has targeted multiple organizations by compromising third-party providers and leveraging stolen credentials to access cloud environments. The use of infostealer malware to harvest credentials from third-party providers is confirmed in the campaign context, though not specifically cited in the Vimeo disclosures.
Mitigation & Workarounds
The following mitigation steps and workarounds are recommended, prioritized by severity:
Critical: Immediately audit and restrict all third-party integrations with access to sensitive cloud data environments. Disable or rotate credentials for any third-party services that are no longer required or that may have been compromised.
High: Enforce multi-factor authentication (MFA) and IP allowlisting for all cloud access, including third-party integrations. Ensure that authentication tokens and other credentials are stored securely and are not accessible to unauthorized parties.
High: Monitor for anomalous access patterns, credential reuse, and unauthorized data access in cloud environments. Implement automated alerts for suspicious activity, such as access from unexpected locations or at unusual times.
Medium: Conduct a comprehensive review of third-party risk management policies and procedures. Require third-party vendors to adhere to strict security standards, including regular security assessments and incident response capabilities.
Medium: Educate users and administrators about the risks of phishing and targeted attacks that may result from the exposure of email addresses and metadata. Provide guidance on identifying and reporting suspicious communications.
Low: Review and update incident response plans to ensure rapid detection, containment, and remediation of supply chain and credential compromise incidents. Test these plans regularly through tabletop exercises and simulations.
Vimeo has already taken several of these steps, including disabling Anodot credentials, removing the service’s integration, and engaging with security experts and law enforcement. Organizations using similar third-party integrations should proactively assess their own exposure and implement the above recommendations to reduce the risk of similar incidents.
References
BleepingComputer, April 28, 2026: https://www.bleepingcomputer.com/news/security/video-service-vimeo-confirms-anodot-breach-exposed-user-data/
Penta Security, April 29, 2026: https://www.pentasecurity.com/blog/vimeo-confirms-data-breach-from-shinyhunters/
SecurityWeek, April 28, 2026: https://www.securityweek.com/vimeo-confirms-user-and-customer-data-breach/
Hack The Box, July 18, 2024: https://www.hackthebox.com/blog/snowflake-breach-attack-anatomy
About Rescana
Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with external vendors and supply chain partners. Our platform enables continuous evaluation of third-party integrations, supports rapid credential and access reviews, and facilitates incident response coordination for supply chain and cloud security incidents. For questions or further information, please contact us at ops@rescana.com.
