- The Attack Chain — Step by Step
A Context.ai employee was infected with Lumma Stealer back in February 2026 because he was searching for cracked Roblox scripts online.
The stealer harvested his Google Workspace credentials, along with Supabase, Datadog, and Authkit keys.
(Source: Help Net Security)
One Vercel employee was using Context.ai with his Enterprise account and had granted it “Allow All” permissions on Google Drive.
The attacker used the stolen OAuth token to access that employee’s Workspace account and pivoted directly into Vercel’s internal infrastructure.
(Source: OX Security)
- What Was Stolen?
The attacker exfiltrated:
- API keys
- GitHub tokens
- NPM tokens
- Internal tool logs for 580 employees
According to Vercel’s CEO, the intruder moved with unusual speed, strongly suggesting the use of AI‑accelerated reconnaissance.
(Source: Strobes)
- Who’s Behind It?
The group claiming responsibility: ShinyHunters — the same threat actors behind breaches at:
- Ticketmaster
- Santander
- Rockstar
- AT&T
They listed the stolen Vercel data for $2 million on BreachForums.
(Source: Strobes)
- The Most Dangerous Lesson
The breach was not discovered by Vercel’s security team.
It was discovered only because the attacker chose to sell the data publicly.
The time gap between initial access and detection is the most alarming part of the incident.
- Suggested Sections for Your Full Post
- The Complete Hacking Series: 6 Steps — From a Roblox Script to a $2M Breach
- Shocking Stats: 580 Employees, $2 Million, One OAuth Token
- All Leaked Data in a Clear Grid
- Who Are ShinyHunters? Their Criminal Track Record
- The Most Dangerous Lesson: Detection Came From the Attacker, Not the Defenders
