π―Vercel had a security problem because a tool they used from another company got hacked. This allowed bad guys to sneak into Vercel's systems and steal some customer information. If you're a customer, it's important to change your passwords and check for any strange activity.
What Happened
Vercel, a cloud deployment and hosting platform, has disclosed a serious security breach that has allowed attackers to gain unauthorized access to some of its internal systems. The breach originated from a compromise of Context.ai, a third-party AI tool that was used by an employee at Vercel. The attacker leveraged this access to take over the employee's Vercel Google Workspace account, which granted them access to certain Vercel environments and environment variables that were not marked as 'sensitive.' Vercel's CEO, Guillermo Rauch, emphasized that while sensitive environment variables are stored in an encrypted manner, the attacker managed to gain further access through enumeration of non-sensitive variables.
Who's Affected
A "limited subset" of Vercel customers has had their credentials compromised. Vercel has reached out to these affected customers directly, advising them to rotate their credentials immediately. The company is actively working with cybersecurity experts, including the Google-owned Mandiant, to investigate the full scope of the breach and to implement additional security measures.
What Data Was Exposed
The compromised data includes Google Workspace credentials, as well as keys and logins for services such as Supabase, Datadog, and Authkit. Notably, the breach has been linked to the ShinyHunters group, who claimed responsibility for the hack and attempted to sell the stolen data for $2 million. Context.ai has also confirmed that unauthorized access to its AWS environment occurred, which may have involved compromised OAuth tokens for some of its users, further complicating the breach's implications.
What You Should Do
Affected customers are urged to take immediate actions, including: In light of the breach, Vercel has implemented enhanced monitoring and protection measures. They are also advising Google Workspace administrators to check for the OAuth application linked to the breach and to conduct their own investigations if necessary. The unique identifier for the compromised OAuth application is 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com. Vercel continues to analyze their supply chain to ensure the safety of their open-source projects, including Next.js and Turbopack. The investigation remains ongoing, and Vercel is committed to updating its customers as more information becomes available.
Containment
- 1.Rotate all credentials and environment variables.
- 2.Review account activity logs for any signs of suspicious activity.
Remediation
- 3.Rotate Deployment Protection tokens if applicable.
- 4.Utilize sensitive environment variables to protect secret values from being read in the future.
The breach highlights the vulnerabilities associated with third-party integrations and the need for robust security measures around OAuth applications. Organizations must remain vigilant in monitoring their access permissions and the security of third-party tools.
