Vimeo Confirms Data Breach via Anodot Supply Chain Attack

Key Takeaways

• Vimeo user emails, video titles, and metadata were exposed through the Anodot breach
• ShinyHunters threatens to publish stolen data by April 30 unless ransom is paid
• No video content, account credentials, or payment information was compromised

Vimeo has confirmed that an unauthorized actor accessed user data following a breach at Anodot, a third-party analytics vendor. The video platform disclosed the incident after the ShinyHunters extortion group claimed responsibility and threatened to publish stolen data.

The breach primarily exposed technical data, video titles, and metadata. Some customer email addresses were also accessed. Vimeo emphasized that video content, account credentials, and payment card information were not compromised.

What Data Was Exposed

"We have identified that, as a result of the Anodot breach, an unauthorized actor accessed certain Vimeo user and customer data," the company stated. "Our initial findings suggest that the databases accessed primarily contain technical data, video titles and metadata, and, in some cases, customer email addresses."

“Our initial findings suggest that the databases accessed primarily contain technical data, video titles and metadata, and, in some cases, customer email addresses.”

— Vimeo

Vimeo serves over 300 million registered users and generated $417 million in annual revenue. The company trades publicly on the Nasdaq and employs more than 1,100 people. Platform operations remained unaffected during the incident.

ShinyHunters Issues Ransom Deadline

ShinyHunters, a notorious extortion group, listed Vimeo on their portal on April 27. The group claims to have obtained data from Vimeo's Snowflake and BigQuery instances. They set an April 30 deadline for ransom payment.

Beyond the data leak threat, ShinyHunters warned Vimeo to expect "several annoying digital problems." The group did not specify how much data they obtained from Vimeo specifically.

The Anodot Supply Chain Attack

The breach originated at Anodot, a data anomaly detection company. Attackers stole authentication tokens and used them to access customer environments. The primary target was Snowflake instances, from which attackers exfiltrated data across multiple organizations.

Vimeo is not the only victim. ShinyHunters also claimed to have stolen more than 78.6 million records from game developer Rockstar Games through the same Anodot compromise. The group is now attempting to monetize stolen data through extortion across multiple downstream victims.

Vimeo's Response

Vimeo has taken several immediate steps. The company disabled all Anodot credentials and removed the service's integration from its systems. Third-party security experts are now assisting with the investigation.

Law enforcement authorities have been notified. Vimeo committed to providing updates if the investigation uncovers additional information about the scope or impact of the breach.

• All Anodot credentials disabled
• Anodot integration removed from Vimeo systems
• Third-party security experts engaged
• Law enforcement notified

What Vimeo Users Should Do

Vimeo has not indicated whether individual users will receive breach notifications. If you use Vimeo, watch for phishing attempts that reference your video titles or account details. While passwords were not exposed, changing your Vimeo password and enabling two-factor authentication is a reasonable precaution.

Business accounts should review what data they store on Vimeo and assess whether exposed metadata poses any confidentiality concerns. Video titles and technical metadata could reveal project names or unreleased content details.

Frequently Asked Questions

Was my Vimeo password exposed in the breach?

No. Vimeo confirmed that account credentials were not accessed in the Anodot breach.

Did attackers access uploaded videos?

No. Video content was not compromised. Only metadata, video titles, and some email addresses were exposed.

Who is responsible for the Vimeo breach?

The ShinyHunters extortion group claims responsibility. They compromised Anodot, a third-party vendor Vimeo used for analytics.

What should I do if I have a Vimeo account?

Enable two-factor authentication, update your password as a precaution, and watch for phishing emails that reference your video titles or account details.

Is Vimeo paying the ransom?

Vimeo has not disclosed whether it will pay. The company is working with security experts and law enforcement.

Source: BleepingComputer