Vercel confirms customer data stolen before recent hack

Cloud and hosting platform Vercel has disclosed that hackers accessed some customer data before the company discovered its recent security incident, indicating the breach may be more extensive than originally reported.

In a revised statement on its security incident page, the company confirmed that its expanded investigation uncovered evidence of malicious network activity that predates the early-April intrusion. According to the update, “We have uncovered a small number of customer accounts with evidence of prior compromise that is independent of and predates this incident, potentially as a result of social engineering, malware, or other methods.”

Vercel also revealed that additional customer accounts were compromised during the April breach, though it did not specify how many. The company said it has notified all affected customers identified so far.

The San Francisco-based firm initially attributed the breach to an employee downloading an application from software startup Context AI, which hackers exploited to gain access to the employee’s work account and, subsequently, Vercel’s internal systems. The latest disclosure suggests the breach may have a broader scope and a longer timeline than first understood.

In a post on X, Vercel CEO Guillermo Rauch confirmed that the attackers remained active beyond the Context AI compromise. Context AI acknowledged its own earlier breach in a post this week.

A Vercel spokesperson declined to comment beyond the incident page update, refusing to confirm how many customers are now affected or how far back the earlier compromise dates.

The company has not yet identified the exact method the hackers used to break in, but Rauch pointed to early evidence that they relied on malware capable of compromising computers “in search of valuable tokens like keys to Vercel accounts and other providers.” This likely refers to information-stealing malware, or infostealers, which often disguise themselves as legitimate software. Once installed, the malware collects and uploads sensitive data such as passwords and private keys, giving hackers access to any system those keys unlock.

“Once the attacker gets ahold of those keys, our logs show a repeated pattern: rapid and comprehensive API usage, with a focus on enumeration of non-sensitive environment variables,” Rauch explained.

The hackers used the hijacked Vercel employee’s account to access internal systems, including unencrypted customer credentials.

Rauch’s comments align with earlier reports from security researchers that a Context AI employee’s computer was infected with infostealer malware after allegedly searching for Roblox game cheats. TechCrunch reported Thursday that Delve, a compliance startup accused of faking customer data, performed security certifications for Context AI.

It remains unclear how many customers are impacted by the Vercel breaches and data thefts. Both Vercel and Context AI have indicated that the incident may affect additional companies, and more victims could emerge as investigations continue.