Vercel got hacked because an employee clicked 'Allow' on an OAuth prompt. We all do this.

Source: Dev.to

Background

The Vercel breach was not the result of a sophisticated zero‑day exploit. An employee clicked Allow on an OAuth prompt, an action that many of us perform dozens of times each month without reading the permissions.

How the breach unfolded

• Initial compromise – The Lumma Stealer malware harvested credentials from a Context.ai employee, including an OAuth token used for Context.ai’s Google Workspace integration, which was connected to Vercel’s systems.
• Persistent token – The OAuth token did not expire when the session ended; it remained valid and was later used by attackers to move laterally into Vercel’s infrastructure.
• Undetected access – The attackers maintained access from roughly June 2024 to April 2026 (almost two years). OAuth tokens are invisible once granted, so traditional security alerts (failed logins, brute‑force attempts, suspicious IPs) did not trigger.

Why OAuth tokens are dangerous

• One‑time grant, forgotten forever – Users often grant access once and never revisit the permission.
• No visible authentication events – A valid token makes API calls that look identical to normal traffic, so monitoring systems typically treat them as benign.
• Delegation, not authentication – Clicking “Allow” delegates authority; it does not authenticate the user. The trust model assumes the third‑party service remains secure indefinitely, which is rarely the case.

Personal audit experience

• Checked GitHub → Settings → Applications and discovered several OAuth grants from three years ago, many of which were unrecognizable.
• Reviewed OAuth connections across services (GitHub, Vercel, Slack, Notion, etc.) and revoked any that hadn’t been used in the last 90 days. The process took about 20 minutes and revealed a surprising amount of lingering privilege.

Team‑wide mitigations

1. Quarterly OAuth grant audits – Schedule regular reviews of all OAuth permissions.
2. Revocation of stale tokens – Remove any token that hasn’t been actively used within a defined window (e.g., 90 days).
3. Monitoring for anomalous API usage – Implement alerts for unusual patterns even when valid tokens are used.

Recommendations for everyone

• Inspect your OAuth grants today – Go to the OAuth settings of each service you use (e.g., GitHub, Vercel, Slack) and revoke any permissions you no longer need.
• Adopt a regular audit cadence – Treat OAuth grant reviews as a routine security task, not a one‑off activity.
• Educate teams about the difference between authentication and authorization – Emphasize that the “Allow” button is an authorization delegation, not a login event.

The “Allow” button is the most forgettable yet potentially dangerous UI element in modern development. Regularly reviewing and pruning OAuth permissions is a simple, effective way to reduce attack surface.