In a significant supply chain security incident, the popular video hosting platform Vimeo has confirmed a data breach that exposed user information.
Discovered in April 2026, the breach exposed 119,000 unique email addresses and other metadata.
The incident highlights the growing risks associated with third-party service providers, as the compromise did not occur directly on Vimeo’s infrastructure but rather through an analytics vendor.
The notorious extortion group known as ShinyHunters claimed responsibility for the attack.
They added Vimeo to their public extortion portal as part of an aggressive “pay or leak” campaign.
Following the initial threat, the threat actors published hundreds of gigabytes of stolen data online.
Google Threat Intelligence has also released a report detailing the expansion of ShinyHunters’ software-as-a-service data theft operations, directly associating the threat group with this specific vendor compromise.
Vimeo Data Breach
While the sheer volume of leaked data is massive, the contents primarily consist of technical records rather than highly sensitive financial information.
The exposed databases contained video titles, system metadata, and technical logs.
However, the most concerning aspect for users is the exposure of 119,000 unique email addresses, which were sometimes accompanied by user names.
Data breach notification service Have I Been Pwned analyzed and added 119,200 accounts to its database, noting 56% were already exposed in prior breaches.
Cybercriminals frequently use this type of personal information to launch targeted phishing campaigns or credential stuffing attacks across other platforms.
Vimeo has stepped forward to reassure its user base regarding the limitations of the breach.
According to their official security advisory, the unauthorized access did not compromise actual Vimeo video content.
Furthermore, the company confirmed that valid user login credentials, passwords, and payment card information remain entirely secure.
The incident also did not disrupt Vimeo’s core systems or daily hosting services, meaning platform operations continue to function normally without interruption.
The root cause of the data exposure stems from Anodot, a third-party analytics vendor used by Vimeo and several other organizations.
The threat actors breached Anodot’s systems, gaining unauthorized access to specific Vimeo customer data stored in the analytics environment.
This indirect compromise underscores the critical importance of monitoring vendor security and managing data access permissions within integrated enterprise supply chains.
Upon discovering the unauthorized access, Vimeo’s security team immediately initiated its incident response protocols.
The company promptly revoked all Anodot credentials and completely removed the vendor’s integration from Vimeo’s internal systems to prevent further data exfiltration.
Additionally, Vimeo engaged external third-party cybersecurity experts to assist with a comprehensive forensic investigation.
The company has also notified relevant law enforcement agencies and stated that it will continue to monitor the situation and update users as the ongoing investigation progresses.
Security experts strongly recommend that affected Vimeo users implement precautionary measures.
Even though passwords were not exposed, individuals should remain highly vigilant against incoming communications.
Threat actors often leverage exposed names and email addresses to craft highly convincing phishing messages designed to steal passwords or deploy malware.
Users are encouraged to use a reputable password manager to generate and store strong, unique passwords for all their online accounts, ensuring that a breach on one platform does not compromise another.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
