Vimeo links customer data exposure to Anodot supply-chain breach
Vimeo said a security incident exposed some user and customer data through a compromise at third-party analytics vendor Anodot, and linked the activity to the ShinyHunters cybercriminal ecosystem. According to Vimeo, the accessed information primarily included technical data, video titles and metadata, and in some cases customer email addresses; the company said video content, user login credentials, and payment card data were not accessed. ShinyHunters subsequently added Vimeo to its leak site and threatened to publish the data if a ransom was not paid.
Vimeo said it disabled Anodot credentials, removed the Anodot integration, engaged external security experts, and notified law enforcement while continuing its investigation. The company said its services were not disrupted, and reporting indicates the incident may be part of a broader supply-chain compromise involving Anodot that could affect multiple customers, consistent with recent ShinyHunters operations that have relied heavily on voice and email phishing to gain access rather than exploiting software vulnerabilities.
Timeline
May 5, 2026
ShinyHunters leaks Vimeo data; HIBP counts 119,200 exposed emails
After failed extortion attempts, ShinyHunters reportedly published a 106GB Vimeo data archive on its leak site. Have I Been Pwned said the breach exposed the email addresses and, in some cases, names of 119,200 individuals.
Apr 28, 2026
ShinyHunters adds Vimeo to leak site and threatens data release
The Record reported that ShinyHunters listed Vimeo on its leak site and threatened to publish the stolen data if a ransom was not paid. Vimeo linked the Anodot-related incident to the ShinyHunters cybercriminal ecosystem.
Apr 27, 2026
Vimeo removes Anodot access and notifies law enforcement
In response to the incident, Vimeo said it disabled Anodot credentials, removed the Anodot integration, engaged third-party security experts, and notified law enforcement. Vimeo added that services were not disrupted and its investigation was ongoing.
Apr 27, 2026
Vimeo discloses customer data exposure tied to Anodot breach
Vimeo said user and customer data was accessed through a breach affecting third-party analytics vendor Anodot. Exposed information primarily included technical data, video titles and metadata, and in some cases customer email addresses, while video content, login credentials, and payment card data were not accessed.
Apr 27, 2026
Arctic Wolf links broader Web3 targeting campaign to BlueNoroff
Arctic Wolf disclosed a wider campaign involving more than 80 typo-squatted Zoom and Teams domains, over 950 attacker-hosted media files, and at least 100 identified targets across more than 20 countries. The company attributed the activity with high confidence to BlueNoroff based on infrastructure, tooling, targeting, and DPRK-business-hours activity patterns.
Apr 27, 2026
BlueNoroff maintains persistence for 66 days and expands victim impersonation pipeline
During post-exploitation, the attackers used a fileless PowerShell implant, screenshot capture, browser process injection, a later UAC bypass, and persistence lasting 66 days. Arctic Wolf said stolen webcam footage and AI-generated images were reused to impersonate prior victims in future fake meetings.
Apr 27, 2026
BlueNoroff compromises a North American Web3 company via fake Zoom lure
Arctic Wolf reported that a North American Web3/cryptocurrency company was compromised through a social-engineering chain involving a manipulated Calendly invite, a typo-squatted Zoom link, a fake meeting page, and ClickFix-style clipboard injection. The intrusion led to rapid compromise and subsequent credential, browser, wallet, and Telegram session theft.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Sources
5 more from sources like cyber security news, security affairs, teiss news, the record media and arctic wolf blog
Related Stories
Vercel Confirms Breach After Threat Actor Offers Alleged Stolen Data for Sale
Vercel confirmed a security incident involving unauthorized access to certain internal systems after a threat actor using the name **ShinyHunters** claimed to be selling allegedly stolen company data on a hacking forum. The company said only a limited subset of customers was affected, its services remain operational, and it has engaged incident response experts, notified law enforcement, and is working directly with impacted customers. The actor claimed the stolen data included access keys, source code, database data, internal deployment access, and API keys, and shared a text file with 580 employee-related records along with a screenshot purportedly showing an internal Vercel Enterprise dashboard. Vercel advised customers to review environment variables and rotate secrets if necessary, while the authenticity of the leaked materials and the attribution to **ShinyHunters** remained unverified; the actor also claimed on Telegram that a **$2 million** ransom demand had been discussed with the company.
1 weeks ago
ShinyHunters Claims Okta Vishing Campaign and Leaks Data from Crunchbase, Betterment, and SoundCloud
The **ShinyHunters** extortion group claimed responsibility for a recent **Okta SSO voice-phishing (vishing)** campaign used to steal authentication codes and access victim environments. The group told reporters and researchers it used vishing to obtain Okta single-sign-on codes to compromise **Crunchbase** and **Betterment**, and then published alleged stolen data after the organizations reportedly rejected extortion demands; ShinyHunters also said additional victims exist and that more disclosures are forthcoming. ShinyHunters published alleged datasets for **Crunchbase, Betterment, and SoundCloud** on a newly launched leak site, asserting the dumps contain **PII** and large record counts (reported as **>20 million** for Betterment, **~2 million** for Crunchbase, and **~30+ million** for SoundCloud). **SoundCloud** stated it is aware of data published online allegedly taken from its organization and said its security team, supported by third-party experts, is reviewing the claim and the posted data; ShinyHunters asserted SoundCloud access was *not* obtained via SoundCloud’s Okta credentials. SoundCloud had previously confirmed a breach affecting roughly **20% of users** (about **28 million** based on public user counts), while Crunchbase and Betterment had not publicly responded at the time of reporting.
1 months ago
Stolen SaaS Integration Tokens Fuel Data Theft at Snowflake Customers
A breach at a third-party SaaS integration provider allegedly exposed authentication tokens that were then used to steal data from more than a dozen companies, with most of the activity targeting **Snowflake** customer environments. Snowflake said it detected unusual activity affecting a small number of customers tied to a specific third-party integration and emphasized that its own platform was not compromised through a vulnerability. Reporting identified the suspected source as **Anodot**, a data anomaly detection company owned by Glassbox, though neither company publicly responded at the time. The threat actor identified as **ShinyHunters** claimed responsibility, saying it stole data from dozens of organizations and sought extortion payments to prevent publication of the information. The campaign reportedly also targeted other cloud and SaaS providers, while an attempted theft involving **Salesforce** was said to have been blocked by AI-based detection. **Google Threat Intelligence Group** said it was tracking the incident, and **Payoneer** said it was aware of the provider breach linked to Anodot but had determined it was not affected.
6 days ago