Vimeo Data Breach Linked to Anodot Incident by ShinyHunters Gang

Severity: Medium (Score: 51.9)

Sources: Securityaffairs.Co, Uk.Pcmag, Vimeo, Bleepingcomputer

Summary

Vimeo has confirmed a data breach resulting from a security incident at Anodot, a third-party analytics vendor. The breach, attributed to the ShinyHunters hacking group, exposed user email addresses, technical data, video titles, and metadata. Vimeo stated that no user login credentials, payment information, or video content were compromised. The ShinyHunters group is demanding a ransom to prevent the public release of the stolen data, threatening to leak it by April 30, 2026. Vimeo has disabled all Anodot credentials, removed its integration with the service, and is cooperating with law enforcement and third-party security experts for further investigation. The total number of affected users remains unclear, but Vimeo has approximately 287 million registered users. This incident follows a pattern of ShinyHunters targeting cloud-based services to access sensitive data. The breach highlights ongoing vulnerabilities in third-party integrations. Key Points: • Vimeo's data breach is linked to an earlier incident at Anodot. • ShinyHunters is demanding ransom to prevent data leaks, threatening to publish stolen data. • No user credentials or payment information were compromised in the breach.

Key Entities

• Data Breach (attack_type)
• ADT (company)
• Anodot (company)
• Rockstar Games (company)
• Snowflake (company)
• Vimeo (platform)
• BigQuery (platform)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1078 - Valid Accounts (mitre_attack)