Vimeo data breach exposes personal information of 119,000 people
by Sergiu Gatlan · BleepingComputerThe ShinyHunters extortion gang stole personal information belonging to over 119,000 people after hacking the Vimeo online video platform in April, according to data breach notification service Have I Been Pwned.
Vimeo is a video hosting and streaming platform publicly traded on the Nasdaq stock market, with over 300 million registered users and over 1,100 employees, and reported revenues of $417 million for FY2024.
The company disclosed on April 27 that customer and user data had been accessed without authorization following a recent breach at Anodot, a data anomaly detection company.
"Our initial findings suggest that the databases accessed primarily contain technical data, video titles and metadata, and, in some cases, customer email addresses," Vimeo said.
However, the company said the attack didn't cause any disruptions and that the threat actors didn't gain access to affected individuals' credentials or financial information. Vimeo also disabled all Anodot credentials after detecting the breach and removed the Anodot integration with its systems to cut off the attackers' access.
"The data accessed does not include Vimeo video content, valid user login credentials, or payment card information. Vimeo user and customer login credentials are secure. This incident did not cause any disruption to our systems or service," it added. "Upon learning of the incident, we promptly disabled all Anodot credentials, removed the Anodot integration with Vimeo systems, and engaged third-party security experts to assist with the investigation. We have also notified law enforcement."
After Vimeo's disclosure, the ShinyHunters cybercrime group leaked a 106GB archive of stolen documents on its dark web data leak site after failing to extort the company.
"Your Snowflake and Bigquery instances data was compromised thanks to Anodot.com," the extortion gang said. "The company failed to reach an agreement with us despite our incredible patience, all the chances and offers we made."
While Vimeo has yet to disclose the total number of individuals whose information was stolen in the incident, data breach notification service Have I Been Pwned analyzed the stolen data and reported that the breach exposed the email addresses and (in some cases) names of 119,200 people.
Previously, the cybercrime group told BleepingComputer that it had stolen data from dozens of companies using Anodot authentication tokens. ShinyHunters also confirmed they attempted to steal data from Salesforce instances, but said they were blocked by AI-based detection.
ShinyHunters has also been linked to a widespread vishing campaign that targets employees' and Business Process Outsourcing (BPO) agents' Microsoft Entra, Okta, and Google SSO accounts.
After breaching corporate SSO accounts, they steal data from connected SaaS applications, including Salesforce, SAP, Slack, Adobe, Atlassian, Zendesk, Dropbox, Microsoft 365, Google Workspace, and others.
Other breaches claimed by ShinyHunters in recent weeks include the European Commission, Rockstar Games, edtech giant McGraw Hill, and, more recently, medical device maker Medtronic, cruise line operator Carnival, fast fashion retailer Zara, convenience store chain 7-Eleven, and online training company Udemy.
99% of What Mythos Found Is Still Unpatched.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.