Full Report
In April 2026, the ShinyHunters extortion group listed Vimeo on their extortion portal as part of their "pay or leak" campaign. They subsequently published hundreds of gigabytes of data, predominantly consisting of video titles, technical data and metadata. The data also included 119k unique email addresses, sometimes accompanied by names. Vimeo attributed the exposure to a breach of Anodot, a third-party analytics vendor, and advised the incident does not include "Vimeo video content, valid user login credentials, or payment card information".
Analysis Summary
# Incident Report: Vimeo Third-Party Data Breach (Anodot)
## Executive Summary
In April 2026, the extortion group ShinyHunters compromised Anodot, a third-party analytics vendor used by Vimeo. This supply chain attack resulted in the exfiltration and subsequent publication of hundreds of gigabytes of technical metadata and the personal information of approximately 119,000 users. While internal Vimeo systems remained secure, the incident highlights the significant risks associated with third-party data processing.
## Incident Details
- **Discovery Date:** April 2026
- **Incident Date:** April 2026
- **Affected Organization:** Vimeo (via Anodot)
- **Sector:** Technology / Video Hosting / Data Analytics
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** April 2026
- **Vector:** Supply Chain Compromise
- **Details:** Attackers gained unauthorized access to the environment of Anodot, a third-party analytics provider integrated with Vimeo's data streams.
### Lateral Movement
- **Details:** Specific lateral movement techniques within Anodot’s infrastructure were not publicly disclosed, but the attackers successfully accessed data silos containing Vimeo-related analytics and metadata.
### Data Exfiltration/Impact
- **April 2026:** ShinyHunters exfiltrated hundreds of gigabytes of data.
- **April 2026:** The group listed Vimeo on their "pay or leak" extortion portal.
- **Follow-up:** Sensitive data was published online after extortion demands were likely unmet.
### Detection & Response
- **Detection:** Discovered via the public listing on the ShinyHunters extortion portal.
- **Response:** Vimeo initiated an investigation, identified the leak source as Anodot, and issued a public disclosure to clarify the scope of the affected data.
## Attack Methodology
- **Initial Access:** Compromise of third-party vendor (Anodot).
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Not disclosed.
- **Discovery:** Targeting of high-value cloud analytics data.
- **Lateral Movement:** Pivot from vendor environment to specific client (Vimeo) data sets.
- **Collection:** Gathering of technical metadata, video titles, and user PII.
- **Exfiltration:** Large-scale transfer of hundreds of gigabytes of data.
- **Impact:** Financial extortion through "pay or leak" tactics; reputational damage.
## Impact Assessment
- **Financial:** Potential extortion demands (unpaid); costs associated with forensic investigation and notification.
- **Data Breach:** Exposure of 119,000 unique email addresses, names, video titles, and technical metadata.
- **Operational:** No reported disruption to Vimeo’s core video hosting services.
- **Reputational:** Public association with a high-profile extortion group; requirement for public clarification that core systems (passwords/payments) were not breached.
## Indicators of Compromise
- **Network indicators:** hxxps[://]shinyhunters[.]com (Extortion portal affiliate)
- **File indicators:** Publication of CSV/JSON files containing Vimeo user metadata and email logs.
- **Behavioral indicators:** Large-scale unauthorized data egress from Anodot analytics environments.
## Response Actions
- **Containment:** Likely handled by Anodot to revoke compromised credentials or patch entry points.
- **Eradication:** Scrubbing of compromised third-party access keys if applicable.
- **Recovery:** Vimeo confirmed that core systems (login credentials, payment info, and video content) remained unaffected.
- **Communication:** Published official disclosure statements to reassure users and clarify the role of the third-party vendor.
## Lessons Learned
- **Supply Chain Vulnerability:** Even if a primary organization's security is robust, third-party vendors with access to data streams represent a significant attack surface.
- **Data Minimization:** Evaluating whether technical metadata sent to analytics vendors needs to be associated with PII (names/emails).
- **Extortion Trends:** Extremist groups continue to favor "pay or leak" over traditional ransomware (encryption), focusing on the value of the data itself.
## Recommendations
- **Third-Party Risk Management (TPRM):** Conduct rigorous security audits of all analytics and SaaS vendors handling user data.
- **Principle of Least Privilege:** Ensure third-party API keys and data transfers are restricted to the absolute minimum data required for the service.
- **Encryption at Rest:** Ensure all PII handled by vendors is encrypted, though this may not prevent "leak" impact if the vendor's environment is fully compromised.
- **Incident Response Planning:** Maintain a clear inventory of where data is shared to quickly identify the source of leaks when they appear on extortion sites.