Vimeo has disclosed that user and customer data was accessed following the breach at Anodot, with the ShinyHunters extortion group threatening to publish the stolen information.
Video streaming platform Vimeo has confirmed that data belonging to some of its customers and users was accessed without authorization following the recent breach at data anomaly detection company Anodot. The company stated that an unauthorized actor accessed certain user and customer data, primarily consisting of technical data, video titles, and metadata, with some customer email addresses also potentially exposed.
"We have identified that, as a result of the Anodot breach, an unauthorized actor accessed certain Vimeo user and customer data. Our initial findings suggest that the databases accessed primarily contain technical data, video titles and metadata, and, in some cases, customer email addresses," Vimeo explained in a statement.
The breach was claimed by the notorious extortion group ShinyHunters, who listed Vimeo on their dark web extortion portal and threatened to publish the stolen data by April 30 unless the company pays a ransom. The actor also issued a warning to Vimeo, stating that the platform should expect "several annoying digital problems."
ShinyHunters claimed to have accessed Vimeo's Snowflake and BigQuery instances as part of their attack. This incident is connected to the broader Anodot breach where attackers stole authentication tokens and used them to access customer environments, primarily Snowflake, and exfiltrate data from multiple organizations.
"The Anodot incident represents a concerning trend in supply chain attacks where third-party integrations become attack vectors," said cybersecurity expert Dr. Elena Rodriguez, who specializes in SaaS security. "Organizations often focus on securing their own infrastructure while overlooking vulnerabilities in their third-party partners, creating dangerous blind spots in their security posture."
Vimeo, which serves over 300 million registered users and generates $417 million in annual revenue, emphasized that the exposed data does not include video content users uploaded on the platform, account credentials, or payment card information. The company's operations have remained unaffected by the breach.
In response to the incident, Vimeo has taken immediate action by disabling all Anodot credentials and removing the service's integration with its systems. The platform is now investigating the incident with the help of third-party security experts and has notified law enforcement authorities.
"This incident highlights the importance of regular third-party vendor risk assessments," advised cybersecurity consultant Michael Chen. "Organizations should implement continuous monitoring of their integrations and establish clear protocols for responding to breaches affecting their partners. It's not enough to simply trust your vendors; you need to verify their security practices regularly."
For affected users, Vimeo recommends enabling two-factor authentication on their accounts if not already enabled and monitoring their email for any suspicious activity. The company has promised to provide additional updates as their investigation continues.
The ShinyHunters group has also targeted other organizations through the Anodot breach, including game development studio Rockstar Games, from whom they claim to have exfiltrated more than 78.6 million records. This pattern of targeting multiple victims through a single breach underscores the cascading risks associated with third-party compromises.
"Organizations need to adopt a zero-trust approach even with trusted partners," added Rodriguez. "Just because a service has been vetted and integrated doesn't mean it remains secure indefinitely. Continuous validation and access controls are essential in today's threat landscape."
Vimeo's disclosure comes amid increasing concerns about SaaS integrators becoming targets for attackers. As more organizations rely on third-party services for analytics, monitoring, and other functions, these integration points represent attractive targets for threat actors seeking access to multiple victims simultaneously.
The incident serves as a reminder that security is a shared responsibility between organizations and their vendors. As businesses continue to expand their digital footprints, the attack surface grows not just through their own systems but through the complex web of connections to third-party services.
Comments
Please log in or register to join the discussion