Video hosting platform Vimeo has confirmed a data breach that exposed approximately 119,000 unique user email addresses, attributing the incident to a security compromise at Anodot, a third-party analytics vendor integrated with its systems.
The breach came to light after the ShinyHunters extortion group listed Vimeo on its “pay or leak” portal in April 2026, and later published hundreds of gigabytes of stolen data.
The ShinyHunters group, known for targeting software-as-a-service platforms, added Vimeo to its extortion portal as part of an ongoing data theft campaign.
After no payment was made, the group published a large volume of data that primarily consisted of video titles, technical metadata, and, in some cases, customer email addresses paired with names.
Google Threat Intelligence has published a report detailing the unauthorized actor’s activity, specifically linking the Anodot incident to ShinyHunters’ broader expansion of SaaS data theft.
The group has been increasingly targeting third-party vendors and analytics providers to gain indirect access to high-profile platforms, making supply chain security a growing concern across the industry.
Vimeo Breach Exposing 119,000 Email Addresses
According to Vimeo’s official disclosure published on April 27, 2026, the databases accessed through the Anodot breach primarily contained:
- Technical data and video metadata
- Video titles
- Customer email addresses (in some cases accompanied by names)
Vimeo was explicit that the breach does not include Vimeo video content, valid user login credentials, or payment card information.
The company also confirmed that user and customer login credentials remain secure and that no disruption to its systems or services occurred as a result of the incident. The breach was added to Have I Been Pwned (HIBP) on May 5, 2026, flagging 119,200 affected accounts.
Anodot is an AI-powered analytics platform used by Vimeo and numerous other enterprises to monitor business metrics and detect anomalies.
The breach highlights a critical, recurring vulnerability in modern enterprise security, the trusted third-party vendor.
Even when a company’s core infrastructure is hardened, integrations with external analytics, monitoring, or data management services can introduce significant exposure.
Upon discovering the incident, Vimeo acted quickly by turning off all Anodot credentials, severing the Anodot integration from its systems, and engaging third-party security experts to assist with the forensic investigation. Law enforcement has also been notified.
The company stated that its investigation is ongoing and that further updates will be provided as new information becomes available.
This incident underscores the expanding attack surface created by SaaS ecosystems. ShinyHunters has consistently demonstrated that targeting analytics and monitoring vendors, which often hold data from multiple enterprise clients, can yield massive returns from a single compromise.
Organizations relying on third-party integrations should enforce strict data minimization policies, conduct regular vendor security reviews, and maintain the ability to rapidly revoke third-party access in the event of a suspected breach.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
