Full Report
Blames outfit called Context.ai, which reckons an agentic OAuth tangle caused the incident Vercel, the company that created the open source Next.js web development framework, has a data leak that led to compromise of some customer credentials, and blamed an outfit called Context.ai for the mess.…
Analysis Summary
# Incident Report: Vercel Credential Compromise via Third-Party AI Tool
## Executive Summary
A security incident at Vercel resulted in unauthorized access to internal systems and the compromise of credentials for a subset of customers. The breach originated from a compromise at Context.ai, where an attacker exploited a Vercel employee's use of an "AI Office Suite" to hijack a Google Workspace account via OAuth tokens. Vercel has isolated the affected environments and advised impacted customers to rotate their credentials.
## Incident Details
- **Discovery Date:** April 19, 2026
- **Incident Date:** March 2026 (Initial Context.ai breach) - April 19, 2026 (Detection at Vercel)
- **Affected Organization:** Vercel (Primary), Context.ai (Secondary)
- **Sector:** Technology / Cloud Infrastructure / AI
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** March 2026
- **Vector:** Third-party compromise (Context.ai)
- **Details:** Attackers gained unauthorized access to Context.ai’s AWS environment. During this breach, the threat actor compromised OAuth tokens belonging to users of Context.ai’s "AI Office Suite."
### Lateral Movement
- **Date/Time:** Between March and April 2026
- **Details:** A Vercel employee had signed up for the AI Office Suite using their enterprise account. The attacker used the stolen OAuth token to bypass authentication and take over the employee’s Vercel Google Workspace account. Because the employee had granted "Allow All" permissions, the attacker moved from the individual account to Vercel enterprise environments.
### Data Exfiltration/Impact
- **April 19, 2026:** Attackers accessed Vercel internal environments and environment variables. While variables marked "sensitive" were reportedly not accessed, "non-sensitive" variables and some customer credentials were compromised.
### Detection & Response
- **April 19, 2026:** Vercel identified unauthorized access to internal systems.
- **April 19-20, 2026:** Vercel notified affected customers, recommended credential rotation, and deployed additional monitoring. Context.ai confirmed the OAuth token leak after coordinating with Vercel.
## Attack Methodology
- **Initial Access:** Exploitation of a third-party AI service (Context.ai) to steal OAuth tokens.
- **Persistence:** OAuth environment hijack; tokens allowed sustained access without needing the user's primary password.
- **Privilege Escalation:** Broad OAuth permissions ("Allow All") allowed the attacker to escalate from a single user's productivity suite to corporate Google Workspace resources.
- **Defense Evasion:** Use of legitimate OAuth tokens to mimic authorized session activity.
- **Credential Access:** Accessing Vercel environment variables to harvest customer-related credentials.
- **Lateral Movement:** Pivot from a third-party AI agent tool to corporate enterprise cloud environments.
- **Impact:** Theft of customer credentials and exposure of configuration data (environment variables).
## Impact Assessment
- **Financial:** Undisclosed; costs associated with incident response (CrowdStrike) and customer support.
- **Data Breach:** Exposure of Vercel customer credentials and internal environment variables for a "limited subset" of users.
- **Operational:** Vercel services remained operational, but internal security workflows and credential rotation protocols were triggered.
- **Reputational:** High; highlights risks in Vercel’s supply chain and the dangers of "Agentic AI" integrations.
## Indicators of Compromise
- **Behavioral indicators:** Service accounts or user accounts (specifically Vercel Google Workspace) performing unusual API calls or accessing environment variables unexpectedly.
- **OAuth Indicators:** Unauthorized use of Context.ai AI Office Suite tokens to access Google Workspace resources.
## Response Actions
- **Containment:** Context.ai shut down its AWS environment following the initial March discovery. Vercel secured the compromised Google Workspace account.
- **Eradication:** Rotation of compromised OAuth tokens and internal credentials.
- **Recovery:** Vercel recommended immediate credential rotation for all affected customers and added "extensive protection measures."
## Lessons Learned
- **Shadow AI Risk:** Employees using unvetted AI tools (AI agents) with enterprise accounts can bypass traditional perimeter security via OAuth.
- **Over-Permissioning:** The use of "Allow All" permissions for third-party integrations creates a single point of failure.
- **Incomplete Forensic Scoping:** An initial investigation by Context.ai/CrowdStrike in March failed to identify the compromised OAuth tokens, allowing the attacker to remain active for weeks.
## Recommendations
- **OAuth Governance:** Restrict the ability of employees to grant broad ("Allow All") scopes to third-party applications via Google Workspace/IDP settings.
- **SaaS Discovery:** Implement tools to monitor and alert on enterprise accounts signing up for unapproved AI services.
- **Secrets Management:** Ensure all sensitive data is strictly categorized and stored in specialized secret management vaults that require multi-factor authentication for access, rather than general environment variables.
- **Vendor Risk Management:** Audit third-party AI tools for security maturity before allowing integration with corporate data.