ShinyHunters Leak Exposes 119,200 Vimeo Users’ Emails After Anodot Breach

Vimeo, a Nasdaq‑listed video platform with over 300 million registered users, uses Anodot for data anomaly detection. Attackers stole Anodot authentication tokens, which ShinyHunters claimed gave them access to Vimeo’s connected Snowflake and BigQuery instances.

- Timeline: Anodot breach occurred prior to April 27; Vimeo detected anomalous activity, disabled all Anodot credentials, and removed the integration on April 27. - Discovery: Vimeo’s internal monitoring flagged unauthorized API calls; third‑party forensic experts confirmed the intrusion. - Scope: Have I Been Pwned analyzed the leaked archive and identified 119,200 unique email addresses, with names attached in a subset. - Technical details: The attackers used valid Anodot tokens (MITRE ATT&CK T1078 – Valid Accounts) to pivot to cloud data warehouses (T1195 – Supply Chain Compromise). No credentials, payment data, or video content were accessed. - Attribution: ShinyHunters, an extortion‑focused cybercrime group, claimed responsibility and posted the data on their dark‑web leak site after extortion talks failed.

The leak underscores how a single third‑party token can expose large volumes of personal data, even when the primary application appears unaffected. Organizations relying on SaaS integrations must treat every connected service as a potential attack surface.

- Rotate and revoke all third‑party API tokens immediately after any suspected compromise. - Enforce MFA and least‑privilege scopes for service accounts linking to cloud warehouses. - Monitor for anomalous API usage patterns using UEBA tools; alert on spikes in data export requests (MITRE T1041 – Exfiltration Over Web Services). - Conduct regular inventory of third‑party integrations and apply zero‑trust network segmentation between SaaS apps and internal data stores. - Review and harden token storage; avoid hard‑coding tokens in scripts or repositories.