Video service Vimeo confirms Anodot breach exposed user data

Source: Bleeping Computer

Breach Overview

Vimeo disclosed that data belonging to some of its customers and users was accessed without authorization following the recent breach at the Anodot data anomaly detection company. The threat actor accessed email addresses for some customers, but most of the exposed information consisted of technical data, video titles, and metadata.

“We have identified that, as a result of the Anodot breach, an unauthorized actor accessed certain Vimeo user and customer data. Our initial findings suggest that the databases accessed primarily contain technical data, video titles and metadata, and, in some cases, customer email addresses,” — Vimeo statement.

The breach was claimed by the extortion group ShinyHunters, which threatened to publish the stolen data by April 30 unless a ransom was paid.

Details of the Incident

• Source of the breach: Attackers compromised Anodot, a third‑party service used by Vimeo, and used stolen authentication tokens to access Vimeo’s Snowflake and BigQuery instances.
• Related activity: The same group has targeted other organizations, including Rockstar Games, claiming to have exfiltrated more than 78.6 million records.
• Threats: ShinyHunters warned that Vimeo could experience “several annoying digital problems” and listed the company on their extortion portal.

Impact on Vimeo Users

• Exposed data: Technical data, video titles, metadata, and in some cases, customer email addresses.
• Data not exposed: Video content uploaded by users, account credentials, and payment card information.
• Operational impact: Vimeo’s platform operations remained unaffected.

The exact amount of stolen data has not been disclosed.

Vimeo’s Response

• Disabled all Anodot credentials and removed the service’s integration.
• Initiated an investigation with third‑party security experts and notified law enforcement.
• Committed to providing updates if new, significant information emerges.