Vercel Discloses Internal System Breach Following Third-Party OAuth Compromise
Take action: If you're a Vercel customer, reach out to Vercel immediately. Immediately check your Google Admin Console (https://admin.google.com/ac/owl/list?tab=apps) filtering by app ID 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com: if it appears, revoke access and rotate all exposed secrets (NPM/GitHub tokens, API keys, deployment credentials). Finally, audit your Vercel deployments and Linear workspace for suspicious activity.
Learn More
Vercel, the cloud development platform behind Next.js, reports a security breach on April 19, 2026, after unauthorized access to its internal systems. The company issued a security bulletin confirming that a limited subset of customers was impacted by the incident.
Shortly after the disclosure, a threat actor claiming to be part of the ShinyHunters group posted on BreachForums, offering to sell stolen data for $2 million.
The breach originated from a compromise of a third-party AI tool's Google Workspace OAuth application, which served as the initial entry point for the attackers. The threat actor gained access to Vercel's internal Linear project management instance and user management systems. The attacker shared screenshots of internal dashboards and a text file containing employee records as proof of the intrusion.
The claimed compromised data includes:
- 580 employee records with names, email addresses, and account status
- Internal source code and database exports
- API keys, including NPM and GitHub tokens
- Access keys for internal deployments and employee accounts
- Internal project management data from Linear
Compromised deployment pipelines could theoretically allow build tampering for affected accounts. No evidence of such tampering has surfaced yet.
The total number of affected individuals and development projects is not disclosed.
The breached third party service is alleged to be Context.ai, an AI platform and a Vercel employee. The breach occurred when the employee's account was compromised, leading to unauthorized access to sensitive data.
Brendan Falk on twitter recommends the following check:
https://admin.google.com/ac/owl/list?tab=apps
ID = http://110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.comIf you see an app after filtering, you have potentially been compromised
Vercel hired incident response experts and notified law enforcement to investigate the scope of the unauthorized access. The company stated that its core hosting and deployment services remain fully operational and were not disrupted by the attack. Vercel is currently working directly with the group of affected customers to secure their environments and mitigate further risk.
