Vimeo breach exposes data of 119,000 users

User passwords, payment card information and video content not accessed, insists company

The data breach at Vimeo revealed in April has exposed the personal details of more than 119,000 people, according to breach tracking researchers.

The online video platform, which hosts and streams content for hundreds of millions of users worldwide, said hackers gained unauthorised access to customer data through a breach linked to third-party analytics provider Anodot.

The incident first came to light in April after ShinyHunters added Vimeo to its online "pay or leak" site, where cybercriminal groups publicly pressure companies to pay ransoms or face the release of stolen information.

Since then, a cache of data allegedly taken from Vimeo systems has been published online.

Breach notification service "Have I Been Pwned" said its analysis found 119,200 unique email addresses in the leaked files, with some records also containing names.

Compromised credentials

Vimeo, which is listed on the Nasdaq stock exchange, said the breach originated through compromised credentials connected to Anodot, a company that provides data anomaly detection services.

"Our initial findings suggest that the databases accessed primarily contain technical data, video titles and metadata, and, in some cases, customer email addresses," the company said.

It insisted that user passwords, payment card information and video content had not been accessed.

"The data accessed does not include Vimeo video content, valid user login credentials, or payment card information. This incident did not cause any disruption to our systems or service."

Vimeo added it disabled all Anodot credentials immediately after discovering the breach, removed the integration between the two companies' systems, and brought in external cybersecurity specialists to investigate.

Law enforcement agencies have also been informed.

Anodot has not issued a public statement on the attack, although it's status page indicated a security incident began on 4th April.

After negotiations reportedly failed, ShinyHunters released what it described as a 106GB archive of stolen documents on its dark web leak site.

"Your Snowflake and BigQuery instances data was compromised thanks to Anodot.com," the group wrote in a message accompanying the leak.

"The company failed to reach an agreement with us despite our incredible patience."

Extortion-as-a-service model

ShinyHunters has become one of the most active digital extortion groups in recent years, targeting companies through cloud services, application programming interfaces (APIs), and identity management systems rather than traditional network intrusions.

The group has previously been linked to attacks affecting major organisations including Microsoft, AT&T and Ticketmaster.

The gang operates an "extortion-as-a-service" model, in which affiliates steal company data and use the threat of publication to pressure victims into paying large sums.

In recent months, ShinyHunters has also claimed responsibility for breaches involving the European Commission, video game developer Rockstar Games, retailer Zara, cruise operator Carnival, and online learning company Udemy.

Vimeo has not confirmed whether it received a ransom demand or whether any payment was discussed. The company said its investigation into the full scope of the breach is continuing.