- Vercel expanded its breach investigation and confirmed more compromised accounts than initially reported.
- Researchers linked the attack to a Context.ai account infected with the Lumma Stealer malware, which was used to access Vercel environments.
- A dark web actor attempted to sell stolen Vercel data, claiming ties to ShinyHunters, although the group denied involvement.
The number of customers affected by the recent breach at Vercel is higher than initially thought, as the company confirmed finding even more compromised accounts.
Earlier this week, the cloud development platform confirmed that it had suffered a cyberattack and lost “non-sensitive” data from its customers. In the initial report, Vercel said one of its employees used a third-party AI tool called Context.ai, which appears to have been used as an entry point.
“The incident originated with a compromise of Context.ai,” the company said, stating that the attacker used that access to take over that employee’s Google Workspace account. Through that, they gained access to some Vercel environments and environment variables “that were not marked as ‘sensitive’.
Article continues below.
Infected after downloading “game cheats”
During further investigation, Vercel expanded its list of indicators of compromise. As a result, he found even more exposed accounts. It also said it found a “small number” of customer accounts with evidence of proper compromises, prior to this attack. These, the company believes, are the result of social engineering or malware attacks.
He said he notified those affected, but would not say how many people were affected.
In their own investigation, security researchers Hudson Rock discovered that Context.ai user was infected with the Lumma Stealer infostealer in February 2026, after searching for exploits for Roblox.
“We now understand that the threat actor has been active beyond the engagement of that startup,” Vercel CEO Guillermo Rauch said on
Just a day before Vercel announced the breach, someone tried to sell the file on a dark web forum. “Greetings everyone. Today I am selling Vercel access key/source code/database,” the attacker said. They claimed to be part of the ShinyHunters team, which the group denied.
Through Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
