Full Report
The ShinyHunters extortion gang stole personal information belonging to over 119,000 people after hacking the Vimeo online video platform in April, according to data breach notification service Have I Been Pwned. [...]
Analysis Summary
# Incident Report: ShinyHunters Extortion Attack via Third-Party Integration (Anodot)
## Executive Summary
In April 2026, the ShinyHunters extortion group compromised Vimeo’s data by exploiting a breach at Anodot, a third-party data anomaly detection service. The attack resulted in the theft of personal information belonging to approximately 119,200 individuals after Vimeo’s Anodot authentication tokens were compromised. Following a failed extortion attempt, the attackers leaked a 106GB data archive containing technical data and user metadata.
## Incident Details
- **Discovery Date:** April 27, 2026
- **Incident Date:** April 2026
- **Affected Organization:** Vimeo
- **Sector:** Technology / Video Hosting and Streaming
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** April 2026
- **Vector:** Third-Party Supply Chain Compromise (SaaS Integration)
- **Details:** Attackers gained access to Vimeo’s environment using authentication tokens/credentials stolen from Anodot, a data analytics partner.
### Lateral Movement
- **Details:** Attackers used the compromised Anodot credentials to access Vimeo’s connected cloud storage instances, specifically Snowflake and BigQuery.
### Data Exfiltration/Impact
- **Details:** The ShinyHunters gang exfiltrated 106GB of data. This included technical data, video titles, metadata, and the names and email addresses of 119,200 users. After Vimeo refused to pay an extortion demand, the data was published on the attackers' dark web leak site.
### Detection & Response
- **Discovery:** Vimeo detected unauthorized access linked to the Anodot breach.
- **Response:** Disabled all Anodot credentials, removed the integration entirely, and engaged third-party forensics experts.
## Attack Methodology
- **Initial Access:** Compromised authentication tokens/API keys from a third-party SaaS provider (Anodot).
- **Persistence:** Utilization of valid service-to-service integration credentials.
- **Collection:** Automated harvesting of data from cloud-based data warehouses.
- **Exfiltration:** Transfer of data to attacker-controlled infrastructure.
- **Impact:** Financial extortion attempt and public disclosure of sensitive data (Doxware/Extortion).
## Impact Assessment
- **Data Breach:** Exposure of email addresses and names for 119,200 people; 106GB of technical metadata leaked.
- **Operational:** Low; Vimeo reported no service disruptions.
- **Reputational:** High public visibility due to ShinyHunters' profile and Have I Been Pwned notification.
- **Financial:** Potential regulatory fines and costs associated with third-party forensic investigations.
## Indicators of Compromise
- **Credentials:** Compromised Anodot authentication tokens.
- **Actor:** ShinyHunters (extortion group).
- **Associated Infrastructure:** hxxp[://]shinyhunters[.]onion (fictionalized dark web link for reporting).
## Response Actions
- **Containment:** Revocation of all Anodot API keys and credentials.
- **Eradication:** Complete removal of the Anodot integration from Vimeo’s systems.
- **Recovery:** Notification of affected users via Have I Been Pwned and internal channels.
- **Legal:** Formal notification to law enforcement agencies.
## Lessons Learned
- **Supply Chain Risk:** Attacks on "integrated" SaaS partners (like Anodot) provide a silent backdoor into otherwise secure environments like Snowflake and BigQuery.
- **Extortion Readiness:** The incident demonstrates the "double extortion" trend where data is leaked regardless of service disruption if demands are not met.
- **Detection Gaps:** Relying on third-party security is insufficient; internal monitoring of service-account behavior is critical.
## Recommendations
- **Inventory Integrations:** Regularly audit all third-party SaaS integrations and apply the Principle of Least Privilege (PoLP) to API tokens.
- **Implement Token Rotation:** Enforce strict expiration and rotation policies for all third-party authentication tokens.
- **Enhanced Monitoring:** Implement Behavioral Analytics to detect unusual data egress patterns from cloud databases (Snowflake/BigQuery).
- **Vendor Risk Management:** Require vendors to provide immediate disclosure of their own internal breaches that may impact API security.