Web infrastructure provider Vercel recently confirmed a security breach that allowed unauthorized access to some of its internal systems. This breach was linked to a compromised third-party AI tool, Context.ai, used by one of Vercel's employees. The attacker leveraged this access to take control of the employee's Vercel Google Workspace account, which granted them entry into certain Vercel environments and environment variables that had not been marked as sensitive. Vercel assured that sensitive environment variables, stored in encrypted form, were not accessed.
The company described the threat actor as sophisticated, citing their operational speed and familiarity with Vercel's systems. Vercel is collaborating with Mandiant and other cybersecurity experts, has alerted law enforcement, and is working with Context.ai to assess the breach's full impact. Affected customers have been notified to rotate their credentials immediately. The investigation into what data was exfiltrated is ongoing, with plans to inform customers if further compromises are identified.
Vercel has advised administrators to review OAuth applications linked to their Google Workspace accounts. While details on the affected systems and customer numbers remain undisclosed, the ShinyHunters group has claimed responsibility for the hack, allegedly selling the stolen data for $2 million. Context.ai confirmed unauthorized access to its AWS environment and compromised OAuth tokens for some users, which were used to access Vercel's Google Workspace. This incident underscores the vulnerabilities associated with third-party applications and OAuth tokens.
Vercel has implemented new security measures, including enhanced management of environment variables and a more secure interface for handling sensitive data. In collaboration with Microsoft and others, Vercel has verified that its npm packages were not compromised. The breach has led to the removal of Context.ai's Google Chrome extension from the Chrome Web Store due to embedded OAuth grants that accessed users' Google Drive files.
Experts highlight that OAuth tokens represent a significant security risk, likening them to high-value credentials. The industry is called to treat these tokens with greater caution to prevent future breaches.


