Vimeo breach exposes 119,000 emails via compromised analytics vendor Anodot

Vimeo uses Anodot for analytics across its platform. In April 2026, unauthorized actors gained access to Anodot’s environment and exfiltrated Vimeo user data, including email addresses, names, video titles and technical metadata. Vimeo stated that video files, login credentials and payment information remained untouched and that service continuity was not affected.

- The breach impacted 119,000 unique user records. - ShinyHunters, known for voice‑phishing and SaaS credential theft, listed Vimeo on their extortion portal before publishing the data. - Have I Been Pwned confirmed the leak included email addresses and associated metadata. - Vimeo responded by disabling Anodot integration, removing the vendor’s access, engaging external forensic experts and notifying law enforcement. - Investigation remains ongoing; no specific CVE has been publicly linked to the incident.

The incident highlights the risk posed by third‑party vendors with access to sensitive data. Even when core systems remain secure, compromised partners can become a conduit for data exfiltration. Organizations must treat vendor access as an extension of their own attack surface and apply equivalent security controls.

- Conduct regular third‑party risk assessments and enforce least‑privilege access for vendor accounts. - Monitor data flows for unusual exfiltration patterns using DLP and network traffic analysis. - Require MFA and just‑in‑time access for all vendor‑managed credentials. - Segment vendor networks and apply zero‑trust principles to limit lateral movement. - Review and rotate API keys, service accounts and any shared secrets following a vendor incident. - Subscribe to vendor security advisories and patch any disclosed vulnerabilities promptly.