Vimeo has disclosed that data belonging to some of its customers and users has been accessed without authorization following the recent breach at the Anodot data anomaly detection company.
The video platform says that the threat actor accessed email addresses for some of its customers, but most of the exposed information included technical data, video titles, and metadata.
“We have identified that, as a result of the Anodot breach, an unauthorized actor accessed certain Vimeo user and customer data. Our initial findings suggest that the databases accessed primarily contain technical data, video titles and metadata, and, in some cases, customer email addresses,” Vimeo states.
The Vimeo breach was claimed by the infamous extortion group ShinyHunters, who threatened to publish the stolen data by April 30 unless the company paid a ransom.
Vimeo is a video hosting and streaming platform, one of the largest alternatives to YouTube, enabling over 300 million registered users to upload, host, and share high-quality videos.
The company employs over 1,100 people, has an annual revenue of $417 million, and is publicly traded on the Nasdaq stock market.
Yesterday, ShinyHunters listed Vimeo on their extortion portal, claiming to have data from the company’s Snowflake and BigQuery instances.
Apart from threatening to leak the data, the actor also issued a warning to the company, stating that the platform should expect “several annoying digital problems.”
The Anodot incident involved attackers stealing authentication tokens and using them to access customer environments, primarily Snowflake, and exfiltrate data from multiple organizations.
The activity has been linked to the ShinyHunters extortion group, which is now attempting to monetize the breach through extortion and by threatening to leak the stolen data from various downstream victims.
One of those victims was game development studio Rockstar Games, with ShinyHunters claiming to have exfiltrated more than 78.6 million records.
In the case of Vimeo, however, the impact remains unclear as the actor did not state the amount of stolen data.
Vimeo has specified that the exposed data does not include video content users uploaded on the platform, account credentials, or payment card information. Also, the platform’s operations remained unaffected.
The company has now disabled all Anodot credentials and removed the service’s integration with its systems.
Vimeo is now investigating the incident with the help of third-party security experts and has also notified law enforcement authorities.
The firm promised to provide updates if the investigation uncovers important new information about the incident.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
