Vimeo Data Exposed via Anodot Breach: Emails and Video Metadata Leaked by ShinyHunters
What Happened – A breach at the data‑anomaly platform Anodot allowed threat actors to access Vimeo’s Snowflake and BigQuery databases. The attackers exfiltrated email addresses, video titles and associated metadata belonging to a subset of Vimeo’s customers and users. ShinyHunters publicly claimed the theft and threatened to publish the data unless a ransom was paid.
Why It Matters for TPRM –
- Third‑party supply‑chain compromises can surface sensitive customer data even when the primary vendor’s own defenses are intact.
- Exposure of user emails and content metadata creates privacy, regulatory, and brand‑reputation risks for downstream partners.
- The incident highlights the need for continuous monitoring of vendor‑provided credentials and integration points.
Who Is Affected – Media & Entertainment platforms, SaaS video‑hosting services, and any downstream organizations that embed Vimeo videos or rely on its API.
Recommended Actions –
- Review all third‑party integrations with Anodot or similar analytics services and revoke any compromised credentials.
- Conduct a data‑inventory to identify any exposed Vimeo metadata within your environment.
- Enhance monitoring for phishing or credential‑stuffing attempts that could leverage the leaked email addresses.
- Verify that contractual security clauses (e.g., SOC 2, ISO 27001) cover supply‑chain breach notification and remediation.
Technical Notes – The attackers leveraged stolen authentication tokens from Anodot to query Vimeo’s Snowflake and BigQuery instances. No video content, account passwords, or payment data were reported as compromised. Vimeo’s operations remained online; the company disabled Anodot credentials and engaged external incident‑response experts. Source: BleepingComputer