Vimeo confirmed that a security breach at its third-party analytics vendor, Anodot, led to unauthorized access to specific user and customer data. The incident is part of a larger supply-chain attack campaign linked to the financially motivated threat group ShinyHunters (tracked as UNC6661/UNC6671), who claimed responsibility and issued a ransom demand with a deadline of April 30, 2026.
Attack Vector
- Initial Access: ShinyHunters compromised Anodot's environment, a SaaS analytics provider, and exfiltrated authentication tokens belonging to Anodot's customers.
- Lateral Movement: Using these stolen tokens, the attackers masqueraded as a legitimate Anodot service to access Vimeo's cloud data warehouses, primarily Snowflake instances, without requiring login credentials.
- Underlying TTPs: The group is known for sophisticated social engineering and vishing (voice phishing) to steal SSO credentials and MFA codes, rather than exploiting product vulnerabilities. Crucially, this attack exploited trust in a third-party integration rather than a vulnerability on Vimeo's side.
Exposed Data
- Nature of Data: Databases accessed primarily contained technical data, video titles, and metadata; in some cases, customer email addresses were also exposed.
- Data Compromised: No video content, valid login credentials, or payment card information were accessed.
- Operational Impact: The incident did not cause any disruption to Vimeo's systems or services.
- Scope: Vimeo has not yet confirmed the total number of affected users or the volume of stolen data.
Immediate Response
- Containment: Vimeo has fully disabled all Anodot credentials and removed the service's integration with its systems.
- Threat Intelligence: The company linked to a January 2026 Google Threat Intelligence (Mandiant) report detailing ShinyHunters' tactics.
- Investigation & Notification: A forensic investigation with third-party security experts has been launched, and law enforcement authorities have been notified.
ShinyHunters Campaign
This incident against Vimeo is part of a wider, ongoing extortion campaign attributed to ShinyHunters. The group has been highly active in 2026, breaching multiple high-profile organizations through supply-chain compromises, social engineering, and credential theft.
- Rockstar Games: The threat actor exfiltrated over 78.6 million records, threatening to leak analytics and source code after compromising the game developer via the same Anodot-Snowflake attack vector.
- ADT: The home security company suffered a breach affecting data of approximately 5.5 million users.
- McGraw Hill: A data leak at the education company was tied to a Salesforce misconfiguration, demonstrating the group's diverse attack surface.
- Other Campaigns: The group has also claimed responsibility for breaching Match Group (Tinder, Hinge, OkCupid) and other major entities, showcasing its persistent and escalating operations.
- ShinyHunters has been linked to the "Com" community and has previously breached entities like Microsoft, Cisco, , and .
This incident underscores the critical risk posed by third-party integrations and the evolving nature of identity-based attacks. It highlights the need to phase out phishable authentication factors in favor of phishing-resistant MFA (FIDO2/passkeys), enforce strict least privilege across all SaaS integrations, and proactively hunt for threats by collecting comprehensive logs and establishing anomaly-detection mechanisms.
Vimeo has formally acknowledged the incident and committed to transparency, stating that their investigation is ongoing and the blog post will be updated as more information becomes available. Rockstar Games described its own exposure as a "limited amount of non-material company information" accessed through a third-party data breach.
Breach notices have been or are being issued to affected individuals where required, and Vimeo is adhering to applicable data protection regulations.