Cyber Incident Victim: Vimeo
Date:
Apr 2026
Location:
United States of America
Summary
Vimeo disclosed a data breach affecting approximately 119,000 users after attackers compromised its third‑party analytics provider Anodot and used stolen authentication tokens to access Snowflake and BigQuery environments, exfiltrating email addresses, video titles and metadata while not accessing uploaded videos, credentials or payment data. The ShinyHunters group claimed responsibility, listed the incident on their extortion portal and threatened to publish the stolen data unless a ransom was paid.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In April 2026 Vimeo’s third‑party analytics provider Anodot suffered a compromise that allowed the ShinyHunters extortion group to obtain authentication tokens used for Vimeo’s Snowflake and BigQuery cloud environments. Using those stolen tokens the attackers gained access to Vimeo’s cloud data stores without needing passwords, enumerated the available datasets and exfiltrated email addresses, video titles and technical metadata. The attackers did not access uploaded video content, account credentials or payment card information, and Vimeo’s platform operations remained uninterrupted throughout the incident. Vimeo publicly disclosed the breach on April 28 2026, confirming that approximately 119,000 user records had been exposed. Security outlets such as BleepingComputer, Penta Security and SecurityWeek corroborated the disclosure and attributed the incident to ShinyHunters on April 29 2026. The threat actors subsequently listed Vimeo on their extortion portal and warned that the stolen data would be published unless a ransom demand was met by April 30 2026.
The exposed data consisted of email addresses, video titles and metadata derived from Vimeo’s Snowflake and BigQuery instances, which increased the risk of phishing and targeted social‑engineering attacks against affected users. Despite the data theft, Vimeo confirmed that no video files, login credentials or payment details were compromised, and the core video‑hosting service continued to function normally. The extortion attempt added a financial pressure element to the incident, as the attackers sought to monetize the stolen information through a ransom demand. The breach highlighted the reliance on third‑party integrations and the potential consequences when those partners are compromised, while also demonstrating that the attackers did not achieve privilege escalation or lateral movement within Vimeo’s own infrastructure beyond the permissions granted to Anodot.
In response, Vimeo disabled all Anodot‑related authentication credentials, removed the Anodot integration from its environment and engaged third‑party security experts and law‑enforcement agencies to investigate the attack. The company stated that it was working with those partners to determine the full scope of the intrusion and to ensure that any residual access was eliminated. Vimeo also confirmed that it had taken steps to secure its Snowflake and BigQuery instances and was monitoring for any further unauthorized activity. No additional details about the investigation’s outcome or future integration decisions were disclosed in the available sources.