Vimeo data breach exposes personal information of 119,000 people
Source: Bleeping Computer
Breach Overview
The ShinyHunters extortion gang stole personal information belonging to over 119,000 people after hacking the Vimeo online video platform in April, according to data‑breach notification service Have I Been Pwned.
Vimeo is a video‑hosting and streaming platform publicly traded on the Nasdaq, with more than 300 million registered users, over 1,100 employees, and reported revenues of $417 million for FY 2024.
The company disclosed on April 27 that customer and user data had been accessed without authorization following a recent breach at Anodot, a data‑anomaly detection service.
“Our initial findings suggest that the databases accessed primarily contain technical data, video titles and metadata, and, in some cases, customer email addresses,” Vimeo said.
Vimeo’s Response
Vimeo stated that the attack did not cause any service disruptions and that the threat actors did not obtain affected individuals’ credentials or financial information. The company disabled all Anodot credentials after detecting the breach and removed the Anodot integration from its systems.
“The data accessed does not include Vimeo video content, valid user login credentials, or payment card information. Vimeo user and customer login credentials are secure. This incident did not cause any disruption to our systems or service… Upon learning of the incident, we promptly disabled all Anodot credentials, removed the Anodot integration with Vimeo systems, and engaged third‑party security experts to assist with the investigation. We have also notified law enforcement.”
After Vimeo’s disclosure, ShinyHunters leaked a 106 GB archive of stolen documents on its dark‑web data‑leak site after failing to extort the company.
“Your Snowflake and BigQuery instances data was compromised thanks to Anodot.com,” the extortion gang wrote. “The company failed to reach an agreement with us despite our incredible patience, all the chances and offers we made.”
Vimeo entry on ShinyHunters leak site (BleepingComputer)
While Vimeo has not disclosed the exact number of individuals whose information was stolen, Have I Been Pwned analyzed the leaked data and reported that the breach exposed email addresses and, in some cases, names of 119,200 people.
ShinyHunters’ Broader Activity
Previously, the group told BleepingComputer that it had stolen data from dozens of companies using Anodot authentication tokens. ShinyHunters also confirmed attempts to steal data from Salesforce instances, but said they were blocked by AI‑based detection.
The gang has been linked to a widespread vishing campaign targeting employees and BPO agents’ Microsoft Entra, Okta, and Google SSO accounts. After breaching corporate SSO accounts, they exfiltrate data from connected SaaS applications such as Salesforce, SAP, Slack, Adobe, Atlassian, Zendesk, Dropbox, Microsoft 365, Google Workspace, and others.
Recent breaches claimed by ShinyHunters include:
- European Commission
- Rockstar Games
- McGraw Hill
- Medtronic
- Carnival (cruise line operator)
- Zara (fast‑fashion retailer)
- 7‑Eleven (convenience‑store chain)
- Udemy (online training company)