Vercel Confirms Breach via Context AI Hack, Stolen Data Listed for $2M

Cloud deployment platform Vercel confirmed on April 19, 2026 that attackers breached its internal systems through a compromise at Context.ai, an AI productivity vendor that one of its employees had connected to a Google Workspace account. The Vercel Context AI breach exposed a limited subset of customer credentials, internal environment variables, and some source code, and a threat actor claiming affiliation with ShinyHunters has since listed the stolen data for roughly $2 million on a cybercrime forum.

The incident is a textbook third-party OAuth pivot: attackers never attacked Vercel directly. They compromised Context.ai in March 2026, lifted OAuth tokens for a Vercel employee's Google Workspace session, then enumerated Vercel's internal infrastructure from that foothold. According to Vercel's official incident disclosure and reporting from BleepingComputer, the attackers exfiltrated API keys, NPM tokens, GitHub tokens, roughly 580 employee records, and database contents before Vercel detected the intrusion.

What Was Stolen

Vercel's disclosure lists the categories of exposed data. The company has not published a full customer count, but TechCrunch reports the breach may affect "hundreds of users across many organizations."

• Environment variables that customers had marked "non-sensitive" (stored unencrypted)
• Customer API keys, NPM tokens, and GitHub personal access tokens
• Internal employee records — roughly 580 entries including names, emails, and account status timestamps
• Source code and database snapshots from a limited set of internal projects
• OAuth tokens tied to the third-party integration

Vercel explicitly stated that Next.js and Turbopack open-source projects were not affected. Customer deployments themselves were not breached — the exposure comes from secrets that were accessible through the compromised employee's Google Workspace session.

How the Attack Worked

The attack chain, pieced together from Vercel and Context.ai's statements along with analysis from The Hacker News, traces to a single OAuth grant. A Vercel employee installed Context.ai's office-suite integration and connected it to their corporate Google account. When Context.ai itself was compromised in March — reportedly via a Lumma Stealer infection disguised as a Roblox cheat on an employee machine — the attackers gained access to the OAuth tokens that integration held.

Context.ai acknowledged its March incident in a statement, writing that hackers "likely compromised OAuth tokens for some of our consumer users." The company did not initially disclose the breach publicly, and Vercel only traced the root cause weeks later during its own investigation.

Vercel CEO Guillermo Rauch described the escalation bluntly: "The attacker got further access through their enumeration" of environment variables the company had not considered sensitive. That enumeration produced the API keys and tokens now being hawked for $2 million.

Who Is Affected and What to Do

Vercel has contacted impacted customers directly and is advising the broader user base to rotate any credentials stored in environment variables flagged as "non-sensitive." If you run production workloads on Vercel, do the following today:

• Rotate all API keys, NPM tokens, and GitHub PATs referenced in any Vercel project's environment variable panel
• Audit Google Workspace OAuth grants and revoke any third-party AI integrations you do not actively use
• Check GitHub and NPM audit logs for unexpected token usage since March 2026
• Review your own environment-variable hygiene — if anything sensitive lives under a "non-sensitive" flag, that is where attackers looked first

The same OAuth-token playbook keeps resurfacing across 2026's biggest incidents. Our breakdown of AI-era phishing and credential theft covers the pattern in depth, and our state-of-cybersecurity report for 2026 tracks how supply-chain compromises now outnumber direct intrusions for SaaS providers.

Why the $2M Sale Is Murky

The threat actor behind the data listing claims to be affiliated with ShinyHunters, the group tied to a string of 2024–2026 SaaS extortion campaigns. The actual ShinyHunters collective has publicly denied involvement in this one. TechCrunch reports that Vercel has not received a ransom demand directly — the $2 million figure reflects an open-market listing on a cybercrime forum, not a negotiated ransom.

That distinction matters. Data listed for sale without a direct ransom usually indicates the attacker is monetizing whatever they can, rather than having leverage over the victim. For Vercel customers, the practical implication is the same: treat the exposed credentials as fully public and rotate accordingly.

What's Next

Vercel has not disclosed whether Context.ai was its only exposed third-party vendor, nor whether other customers of Context.ai may have suffered similar lateral compromises. The company says it is reviewing its third-party OAuth scope policies and will publish a post-incident report. Context.ai has yet to issue a public post-mortem of the March intrusion that started the chain.

For the industry, the Vercel incident is another argument against generous OAuth scopes for consumer-grade AI productivity tools inside corporate Workspace tenants. As one Dark Reading source put it, stolen OAuth tokens are "the new attack surface, the new lateral movement." If your team has been granting Workspace access to AI plugins without review, this is the week to audit.