Vimeo data breach hits 119,000 users’ personal info
▼ Summary
– ShinyHunters stole personal information of over 119,000 people after hacking Vimeo via a breach at data anomaly detection company Anodot in April.
– Vimeo disclosed the breach on April 27, stating that accessed data included technical data, video metadata, and customer email addresses, but not credentials or financial information.
– Vimeo disabled all Anodot credentials and removed the integration to cut off attackers’ access, and notified law enforcement.
– ShinyHunters leaked a 106GB archive of stolen data on its dark web site after failing to extort Vimeo.
– Have I Been Pwned analyzed the stolen data and reported that 119,200 people had their email addresses and names exposed.
The ShinyHunters cyber extortion group has compromised the personal data of more than 119,000 individuals following a security breach at the online video platform Vimeo in April, according to data breach notification service Have I Been Pwned.
Vimeo, a publicly traded video hosting and streaming company listed on the Nasdaq, serves over 300 million registered users and employs more than 1,100 people. The firm reported $417 million in revenue for fiscal year 2024.
On April 27, Vimeo disclosed that unauthorized parties had accessed customer and user data after a breach at Anodot, a data anomaly detection firm. “Our initial findings suggest that the databases accessed primarily contain technical data, video titles and metadata, and, in some cases, customer email addresses,” the company stated.
Vimeo emphasized that the attack did not disrupt operations and that threat actors did not obtain login credentials or financial information. After detecting the breach, Vimeo immediately disabled all Anodot credentials and removed the Anodot integration from its systems to block further access. “The data accessed does not include Vimeo video content, valid user login credentials, or payment card information. Vimeo user and customer login credentials are secure. This incident did not cause any disruption to our systems or service,” the company added. It also engaged third-party security experts and notified law enforcement.
Following Vimeo’s disclosure, ShinyHunters released a 106GB archive of stolen documents on its dark web leak site after failing to extort the company. “Your Snowflake and Bigquery instances data was compromised thanks to Anodot.com,” the group said. “The company failed to reach an agreement with us despite our incredible patience, all the chances and offers we made.”
While Vimeo has not yet specified the total number of affected individuals, Have I Been Pwned analyzed the leaked data and confirmed that the breach exposed the email addresses and, in some cases, names of 119,200 people.
ShinyHunters previously told BleepingComputer that it had stolen data from dozens of companies using Anodot authentication tokens. The group also confirmed attempts to steal data from Salesforce instances, but said they were blocked by AI-based detection. Additionally, ShinyHunters has been linked to a widespread vishing campaign targeting employees’ and Business Process Outsourcing (BPO) agents’ Microsoft Entra, Okta, and Google SSO accounts. After compromising corporate SSO accounts, the group steals data from connected SaaS applications, including Salesforce, SAP, Slack, Adobe, Atlassian, Zendesk, Dropbox, Microsoft 365, and Google Workspace.
Other recent breaches claimed by ShinyHunters include the European Commission, Rockstar Games, edtech giant McGraw Hill, medical device maker Medtronic, cruise line operator Carnival, fast fashion retailer Zara, convenience store chain 7-Eleven, and online training company Udemy.
(Source: BleepingComputer)
