Vercel Says Some of its Customers’ Data Was Stolen Prior to Recent Hack

My new least favorite thing right now is how this Vercel breach is being framed. We’ve got actual details now, and guess what?  It wasn’t some AI super hacker, and somehow the narrative still drifted into “AI super hackers” and “accelerated attacks.” That’s not what this was. Not even close.

Let’s start with what Vercel actually is: a hosting platform that’s incredibly popular with indie hackers and small startups. It’s built around speed: take a Next.js app, connect it to GitHub, push code, and it’s live. That convenience is the whole value prop. But the flip side is obvious: it’s full of secrets. Environment variables, API keys, credentials — everything you need to run real infrastructure lives there.

So when the breach hit, the concern was legitimate. If attackers got access to those environments, they’re not just looking at code, they’re looking at the keys to everything that code connects to. Stripe, databases, third-party APIs; all of it.

What Actually Happened

This didn’t start at Vercel. It started at a third-party company called Context.ai. An employee there got infected with infostealer malware, not through some advanced exploit or even a zero-day, but through downloading a Roblox cheat. That’s the entry point.

From that single infection, attackers harvested credentials: Google Workspace tokens, access keys, whatever was sitting on that machine. And once you have that, you don’t need passwords anymore. You’ve got sessions, tokens and access.

From there, they pivoted.

They used those tokens to move through systems, enumerate access, and find paths into Vercel environments. This is what attackers do. They don’t sit there manually poking around, they run scripts. They operate at machine speed. They take whatever access they get and expand it as fast as possible.

That’s the part that seems to keep surprising people, and it shouldn’t.

I’ve said this over and over: if you’re not shutting attackers down in 10 to 30 minutes, you’re already behind. My real target is 10 minutes, because that’s how fast they move. Every security program I’ve ever built had to assume that speed. If you’re describing attacker velocity as “surprising,” then you weren’t prepared for how this actually works.

More Customers Compromised Than First Reported

We’re now learning it didn’t stop there: Vercel has confirmed that additional customer accounts were compromised and that the attackers were active beyond just the initial Context.ai foothold.

Vercel’s messaging overall is a lot of bullshit. They talk about encryption at rest. That doesn’t matter here. Encryption at rest protects you if someone steals the drive. It does nothing when the application accessing the data is compromised. The app has the keys. That’s how it works.

They talk about defense in depth. But if an employee can grant broad OAuth permissions to a third-party AI tool, and that access can be leveraged to pivot into internal systems, then whatever defense in depth you had didn’t stop the attack.

They talk about highly sophisticated attackers accelerated by AI. No. These attackers already have playbooks. They already have automation. They already know how to take a stolen token and turn it into broader access. They don’t need AI to do that.

All This Has Happened Before, and Will Happen Again

What we’re looking at is the same pattern we’ve been dealing with for years: infostealer malware, credential theft, session hijacking and lateral movement through SaaS environments.

The only thing that’s changed is the story we’re telling about it. That’s the frustrating part. Instead of just saying, “This is what happened, and here’s how we’re going to fix it,” we get buzzwords, vague claims about advanced threats and explanations that don’t actually line up with how these attacks work.

Security is hard. Everyone gets popped at some point. That’s not the issue.

The issue is pretending this was something new, because it wasn’t.