Data Breach Exposes 119K Vimeo User Emails via Anodot Vendor Compromise
What Happened — In April 2026 the ShinyHunters extortion group listed Vimeo on its “pay‑or‑leak” portal and later published hundreds of gigabytes of data that included 119,167 unique email addresses and associated names. The exposure was traced to a breach of Anodot, a third‑party analytics provider used by Vimeo.
Why It Matters for TPRM —
- Third‑party analytics services can become the weakest link in a vendor’s data‑protection chain.
- Email address leaks enable credential‑stuffing, phishing, and social‑engineering attacks against both end‑users and corporate accounts.
- Even when core content and payment data remain safe, personal identifiers increase reputational risk and may trigger regulatory notification obligations.
Who Is Affected — Media & entertainment platforms, SaaS video‑hosting services, and any organization that integrates Vimeo for video content delivery or marketing.
Recommended Actions — Review your contracts and security questionnaires for third‑party analytics providers; verify that vendors enforce encryption‑at‑rest and have breach‑notification clauses; mandate multi‑factor authentication and password‑manager usage for all accounts linked to Vimeo; monitor for phishing attempts using the leaked email list.
Technical Notes — Attack vector: compromise of Anodot analytics vendor (third‑party dependency). No CVEs were disclosed. Exfiltrated data: email addresses, user names, video titles, technical metadata. No login credentials, payment card data, or video content were compromised. Source: Have I Been Pwned – Vimeo Breach