Vimeo Data Breach Tied to Third-Party Analytics Provider Anodot

Vimeo has confirmed a data breach affecting user and customer data after attackers compromised a third-party analytics vendor the company relied on for real-time anomaly detection. The Vimeo data breach did not expose passwords, payment details, or video content, but it did expose email addresses and a range of operational metadata, and it arrived alongside active extortion threats from one of the most active data theft groups operating today.

The incident originated at Anodot, an AI-powered business analytics platform acquired by Glassbox in November 2025. Anodot held authentication tokens on behalf of its customers, tokens that gave it legitimate, persistent access to cloud environments including Snowflake, S3, and Amazon Kinesis. Attackers stole those tokens and used them to access downstream customer data without ever needing to break into those platforms directly.

How the Attack Worked

On April 4, 2026, Anodot's status page began reporting that all of its data connectors had gone offline across every geographic region. At the time, it appeared to be a service disruption, but it was not.

An attacker had already been inside Anodot's systems. The connector outages coincided with unauthorized access to authentication tokens stored within the platform. Those tokens acted as trusted credentials between Anodot and its customers' cloud environments. With them, the attacker could move through connected systems with the same apparent legitimacy as an internal service account.

ShinyHunters later confirmed they were behind the campaign, claiming to have extracted data from dozens of companies over a single bank holiday weekend, timed deliberately across Easter and Passover to slow detection and response. The group also attempted to pivot to Salesforce environments using the same stolen tokens, though that specific attempt wasreportedly blocked.

What Vimeo Lost

Vimeo has confirmed that the databases accessed by the attacker primarily contained technical data, video titles, and metadata. In some cases, customer email addresses were also exposed.

Video content uploaded to the platform was not accessed. Neither were user login credentials or payment card information. Vimeo has stated that its operations were not disrupted by the incident.

Upon discovering the breach, Vimeo disabled all Anodot credentials and removed the integration from its systems. The company has engaged external security specialists to assist with the ongoing investigation and has notified law enforcement.

ShinyHunters and the Broader Campaign

ShinyHunters named Vimeo, Rockstar Games, and fashion retailer Zara among victims affected through the Anodot breach. The group published data from Rockstar Games after a ransom deadline passed without payment.

The campaign fits a pattern this group has refined over the past year. Rather than attacking large enterprises head-on, ShinyHunters targets the vendors those enterprises depend on: SaaS providers, analytics platforms, integration tools, and harvests the credentials those vendors hold on their customers' behalf. We previously covered the group's Salesforce Aura campaign, which ran undetected from September 2025 into early March 2026, and their breach of a consumer identity protection provider where a voice phishing attack on a single employee opened access to nearly 900,000 records.

Google's Threat Intelligence Group has confirmed it is actively tracking the Anodot campaign. Snowflake, which confirmed that its own infrastructure was not breached, locked down potentially affected customer accounts after learning Anodot was the source of the incident.

The Third-Party Risk Problem

The Anodot attack worked because of a structural feature of how modern SaaS tools are built. Analytics platforms need broad, persistent access to their customers' data in order to function. That access is typically granted through long-lived authentication tokens, credentials that don't expire on short cycles and that, once stolen, are difficult to detect in use because the traffic they generate looks exactly like legitimate activity.

Every SaaS tool an organization connects to its cloud infrastructure creates another link in the trust chain. When one link breaks, the attacker inherits whatever access that vendor held. In this case, one compromised analytics platform became the entry point for data theft across more than a dozen organizations simultaneously.

For security and IT teams, the practical response involves auditing every third-party integration with access to cloud data warehouses, reviewing the scope of permissions each integration holds, rotating authentication tokens, and monitoring for unusual query patterns or bulk export activity. Vendor risk management frameworks need to treat SaaS integrations as critical dependencies, not peripheral tools.

What Affected Vimeo Users Should Know

Vimeo has stated that login credentials are secure and that users are not required to take immediate action. However, anyone with a Vimeo account should treat unexpected email contact with caution, particularly messages requesting login details, payment updates, or urgent account verification. Exposed email addresses can feed phishing campaigns, and ShinyHunters has previously used stolen contact data to apply pressure on both organizations and their customers.

The investigation remains ongoing. Vimeo has said it will continue to take appropriate measures as new findings emerge.