Vimeo has confirmed that user and customer data was accessed without authorization as a downstream consequence of the breach at data anomaly detection vendor Anodot. The video platform, which serves over 300 million registered users and posts $417 million in annual revenue, says exposed information includes email addresses, technical data, video titles, and metadata. The intrusion has been claimed by the extortion group ShinyHunters, which threatened to leak the stolen data by April 30 unless a ransom is paid.

What Happened

Vimeo disclosed on April 28, 2026 that an unauthorized actor accessed certain user and customer data through the upstream Anodot incident. According to the company, initial findings indicate the touched databases primarily held technical data, video titles, metadata, and in some cases customer email addresses. ShinyHunters listed Vimeo on its extortion portal one day prior, claiming to have data exfiltrated from Vimeo's Snowflake and BigQuery instances and issuing a warning that the platform should expect "several annoying digital problems" if it did not pay. Vimeo has disabled all Anodot credentials, removed the integration from its environment, engaged third-party incident responders, and notified law enforcement.

What Was Taken

Vimeo's preliminary scoping points to a contained but meaningful disclosure footprint. Confirmed exposed data categories include:

The company explicitly states that uploaded video content, account credentials, and payment card information were not part of the accessed data. ShinyHunters has not publicly disclosed a record count for Vimeo, leaving the total volume unclear. For comparison, the same actor claims to have exfiltrated more than 78.6 million records from another Anodot downstream victim, Rockstar Games.

Why It Matters

This incident is a textbook supply chain breach where the trust boundary, not Vimeo's perimeter, was the failure point. Anodot is an analytics and anomaly detection vendor whose service is granted broad read access to customer data warehouses to function. Once attackers stole authentication tokens at the vendor, every downstream tenant became reachable through legitimate, expected, and often whitelisted API paths. The pattern, threat actor identification, exfiltration from Snowflake and BigQuery, and the same playbook seen in the 2024 Snowflake-tenant campaign, indicates ShinyHunters has institutionalized cloud data warehouse extortion. Defenders should treat any third-party SaaS with warehouse credentials as a high-blast-radius asset, not a peripheral tool.

The Attack Technique

Public reporting on the Anodot incident describes the following kill chain:

  1. Initial access at Anodot, the upstream SaaS vendor.
  2. Theft of customer authentication tokens, the credentials Anodot uses to query each tenant's data warehouse.
  3. Use of those stolen tokens to authenticate directly to downstream customer environments, primarily Snowflake and, in Vimeo's case, BigQuery as well.
  4. Bulk exfiltration of accessible tables and metadata from those warehouses.
  5. Extortion of victims individually, with public listing on ShinyHunters' leak portal and a hard deadline for payment.

Because the attacker is presenting valid OAuth or service tokens from a trusted integration, traffic appears legitimate and frequently bypasses anomaly thresholds tuned for credential stuffing or brute force.

What Organizations Should Do

  1. Inventory every third-party SaaS integration that holds tokens against Snowflake, BigQuery, Redshift, Databricks, or other data warehouses, and document the scope and lifetime of each token.
  2. Rotate or revoke all credentials issued to Anodot or any analytics vendor with comparable access, and require fresh, scoped tokens before re-enabling.
  3. Enforce network policies on warehouse access, restricting integration logins to vendor IP allowlists or PrivateLink, and require short-lived OAuth tokens over static keys.
  4. Hunt for anomalous query patterns from integration service accounts, especially large SELECT or COPY operations against tables outside the vendor's normal usage profile, and review BigQuery and Snowflake access logs for the past 60 days.
  5. Apply least-privilege roles to all integration users, granting access only to the specific schemas and tables required, and disable broad SELECT on entire databases.
  6. Update incident response playbooks to include third-party token compromise as a primary scenario, with predefined revocation, customer notification, and regulator-disclosure steps.

Sources: Video service Vimeo confirms Anodot breach exposed user data