Vimeo confirms data loss in Anodot breach
Another victim falls to ShinyHunters
A data breach at software maker Anodot earlier this month is still racking up victims, with video platform Vimeo the latest to confirm unauthorised access to customer information.
Hackers, reported to be ShinyHunters, breached Anodot in early April and used that access to steal data from its various customers, which included Rockstar Games and Snowflake.
ShinyHunters was able to breach Anodot by stealing authentication tokens and using them to access customer environments and exfiltrate data, which it has now started offering for sale.
Vimeo is a video hosting and streaming platform similar to YouTube. It has more than 300 million registered users, about 1,100 employees and an annual revenue of $417 million.
The company uses Anodot as a third-party analytics platform. It says an unauthorised actor – almost certainly ShinyHunters, which recently added Vimeo to its dark web extortion portal – accessed “certain Vimeo user and customer data” as a result of the breach.
Those were primarily databases containing technical data, video titles and metadata, as well as “some” customer email addresses. They did not access video content, user login credentials or payment card information.
As well as threatening to leak the data, ShinyHunters somewhat underwhelmingly warned Vimeo to expect “several annoying digital problems."
While the hacking group outright said how much data it had grabbed from Rockstar (more than 78.6 million records), it didn’t say anything about the files it lifted from Vimeo – simply said it would release them by 30th April if the company did not pay.
Exactly what the impact would be is of course unclear. We should note that ShinyHunters did follow through on its threat to release the purloined Rockstar data, which turned out to be a damp squib and not materially harmful.
Vimeo says it has disabled all Anodot credentials and removed the service’s integration with its systems.