Full Report
Vimeo points finger at analytics supplier Anodot, says no logins or card data were touched More than 119,000 Vimeo users's email addresses were extracted in a breach traced to a third-party analytics vendor, according to Have I Been Pwned.…
Analysis Summary
# Incident Report: Third-Party Breach of Vimeo Data via Anodot
## Executive Summary
In April 2024, the threat actor group "ShinyHunters" successfully exfiltrated data belonging to approximately 119,000 Vimeo users. The breach originated from a compromise of Anodot, a third-party analytics vendor, which provided attackers access to integrated Snowflake and BigQuery instances. While no passwords or financial data were compromised, a significant volume of technical metadata and user email addresses were leaked.
## Incident Details
- **Discovery Date:** April 2024
- **Incident Date:** April 4, 2024
- **Affected Organization:** Vimeo (via Anodot)
- **Sector:** Technology / SaaS / Video Hosting
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** April 4, 2024
- **Vector:** Third-party Integration / Supply Chain
- **Details:** Attackers compromised Anodot, a third-party analytics provider, gaining access to the credentials/integrations used to connect to Vimeo’s data environments.
### Lateral Movement
- ShinyHunters utilized the established trust relationship and credentials from Anodot to access Vimeo's cloud-based data warehouses, specifically citing Snowflake and BigQuery instances.
### Data Exfiltration/Impact
- **Data Extracted:** 119,000 unique email addresses, names, video titles, and technical metadata.
- **Claims:** Attackers claimed to have stolen "hundreds of gigabytes" of data.
### Detection & Response
- **Detection:** The incident became public when ShinyHunters posted Vimeo on a "pay or leak" site in April.
- **Response:** Vimeo disabled Anodot credentials, removed the software integration, engaged external security consultants, and notified law enforcement.
## Attack Methodology
- **Initial Access:** Supply Chain Compromise (via vendor Anodot).
- **Persistence:** Use of legitimate third-party API keys or integration credentials.
- **Privilege Escalation:** Not specified, but likely utilized high-level service account permissions inherent to analytics integrations.
- **Defense Evasion:** Use of legitimate integration channels to mask unauthorized data access.
- **Credential Access:** Compromise of Anodot-owned credentials/tokens.
- **Discovery:** Enumeration of Snowflake and BigQuery data structures.
- **Lateral Movement:** Pivot from third-party vendor environment to client data warehouses.
- **Collection:** Automated extraction of technical metadata and user tables.
- **Exfiltration:** Large-scale dump of database contents (allegedly hundreds of GBs).
- **Impact:** Data breach and attempted extortion.
## Impact Assessment
- **Financial:** Potential regulatory fines (GDPR/CCPA) and costs for forensic investigation; extortion attempt (amount undisclosed).
- **Data Breach:** 119,000 email addresses and names; extensive technical metadata.
- **Operational:** Disruption of analytics workflows due to the removal of Anodot.
- **Reputational:** Public disclosure by ShinyHunters and breach notification via "Have I Been Pwned."
## Indicators of Compromise
- **Network indicators:** Activity originating from Anodot-associated IP ranges/service accounts fetching unusually high volumes of data.
- **Behavioral indicators:** Unauthorized access to Snowflake or BigQuery instances using Anodot service tokens outside of normal query patterns.
## Response Actions
- **Containment:** Revoked all Anodot access tokens and credentials.
- **Eradication:** Completely removed the Anodot integration from the Vimeo ecosystem.
- **Recovery:** External security audit of the data warehouse environment.
- **Notification:** Informed affected users and law enforcement agencies.
## Lessons Learned
- **Key Takeaways:** Third-party integrations represent a significant blind spot; even if a primary organization’s perimeter is secure, vendors with "read" access to data warehouses are high-value targets.
- **Shortcomings:** Reliance on a single point of failure (vendor credentials) allowed for broad access to sensitive technical metadata.
## Recommendations
- **Least Privilege:** Restrict third-party analytics access to only the specific data fields required for their service (e.g., masking or excluding PII like email addresses).
- **Monitoring:** Implement anomaly detection on cloud data warehouses (Snowflake/BigQuery) to alert on "unusual large-scale exports" by service accounts.
- **Vendor Risk Management:** Require vendors to provide proof of robust internal security controls and MFA for all administrative access.
- **Data Minimization:** Regularly purge or anonymize technical metadata that is no longer required for active business operations.