Vimeo has disclosed a security incident stemming from a breach at third-party analytics provider Anodot, which resulted in unauthorized access to certain user and customer data.
The company states that no video content, login credentials, or payment information were exposed, though an investigation into the incident is still underway.
According to its security notice, Vimeo identified that attackers leveraged the Anodot compromise to access specific datasets linked to its platform. The exposed information primarily includes technical data, video titles, metadata, and, in some cases, customer email addresses. Vimeo emphasized that its core systems remain unaffected, with no service disruption reported and user authentication data remaining secure.
This is part of a broader supply-chain breach involving Anodot, an analytics and anomaly detection platform used by multiple organizations to monitor business and operational metrics. Other companies victimized by ShinyHunters through Anodot are Inditex, the owner of Zara, and Rockstar Games.
While Vimeo did not attribute the attack to a specific threat actor, the breach was publicly claimed on the same day by the ShinyHunters group via its dark web extortion portal. The threat group alleges that it exfiltrated data from Vimeo’s Snowflake and Google BigQuery instances through the compromised Anodot integration, and has issued a “pay or leak” ultimatum with a deadline of April 30, 2026.
ShinyHunters is a data extortion group with a history of targeting cloud services, SaaS platforms, and enterprise databases. Their operations typically involve breaching third-party providers or exploiting misconfigured cloud instances to obtain large datasets, which are then used as leverage for ransom demands.
Vimeo, a major video hosting and streaming platform serving millions of users globally, stated that it acted quickly upon learning of the incident. The company disabled all Anodot-related credentials, removed the integration from its systems, and engaged external cybersecurity experts to assist with forensic investigation and containment. Law enforcement authorities have also been notified, and the company says its investigation remains ongoing.
While Vimeo maintains that the impact is limited, the exposure of email addresses and metadata could still pose privacy and phishing risks for affected users. Additionally, the threat of a public data leak by ShinyHunters introduces further uncertainty, particularly if the attackers’ claims regarding cloud database access are substantiated.
Users are advised to remain cautious of unsolicited emails referencing Vimeo accounts or content, as attackers may attempt follow-up phishing campaigns using harvested data. As a precaution, enabling multi-factor authentication, monitoring account activity, and avoiding suspicious links or attachments can help mitigate risks.
Vimeo has indicated that it will continue to update its advisory as more information becomes available.
Leave a Reply