Vimeo Data Breach Exposes 119K User Emails via Compromised Third‑Party Analytics Vendor
What Happened – In April 2026, the ShinyHunters extortion group stole personal data belonging to roughly 119 000 Vimeo users. The attackers accessed the information through a compromise of Anodot, Vimeo’s third‑party analytics provider. The leaked archive contained video titles, technical metadata and email addresses, but no video content, login credentials, or payment details.
Why It Matters for TPRM –
- Third‑party integrations can become the weakest link in a supply‑chain, exposing downstream customers.
- Even “non‑critical” data such as email addresses and metadata can be weaponised for phishing, credential‑stuffing, or brand‑damage campaigns.
- The incident demonstrates the need for continuous monitoring of vendor security postures and rapid revocation of compromised integrations.
Who Is Affected – Media & entertainment platforms, SaaS video‑hosting services, and any organization that relies on third‑party analytics or telemetry providers.
Recommended Actions –
- Review all current analytics and telemetry vendors for security certifications and breach history.
- Validate that contracts include breach‑notification clauses and right‑to‑audit provisions.
- Immediately audit and, if necessary, disable any integrations that lack strong authentication or encryption.
- Implement data‑loss‑prevention (DLP) controls to monitor outbound metadata flows.
Technical Notes –
- Attack Vector: Compromise of Anodot’s environment (third‑party dependency).
- Data Types Exposed: Email addresses, user names (when available), video titles, technical metadata.
- No Impact on: Video content, user passwords, payment card information, or service availability.
- Response: Vimeo disabled Anodot access, removed the integration, engaged external incident‑response experts, and notified law enforcement.
Source: Security Affairs