Vimeo Confirms Data Breach via Anodot, ShinyHunters Sets April 30 Ransom Deadline

The intrusion began when threat actors obtained credentials for Anodot, a third‑party vendor that provides real‑time analytics to Vimeo. Using those credentials, the attackers moved laterally into Vimeo’s cloud data stores, querying Snowflake and BigQuery for operational metadata. Vimeo stated that the accessed data did not include video content, valid user login credentials, or payment card information. After discovery, the company disabled the Anodot credentials and removed the integration, then notified law enforcement.

- Vimeo said the accessed data did not include video content, valid user login credentials, or payment card information. - A Vimeo spokesperson said the company has taken steps to secure its environment and is closely monitoring the situation. - Vimeo must respond to the ShinyHunters ransom demand by April 30. - ShinyHunters claims to have exfiltrated data from Vimeo’s Snowflake and BigQuery instances and threatens to leak it unless paid. - The group has previously targeted Salesforce and other SaaS platforms via similar third‑party vectors.

The incident highlights how a compromised vendor credential can serve as a foothold for cloud data exfiltration. Defenders should rotate all third‑party API keys and enforce MFA on service accounts. Apply least‑privilege principles to Snowflake and BigQuery roles, restricting access to only required schemas and enabling IP allow‑lists for trusted networks. Activate comprehensive query logging and monitor for anomalous patterns such as large‑scale metadata reads or unusual query times (MITRE ATT&CK T1078 – Valid Accounts, T1041 – Exfiltration Over Command‑and‑Control Channel). Deploy detection rules for unexpected data‑transfer volumes from cloud warehouses to external endpoints. Follow vendor advisories and CISA guidance on third‑party risk management (e.g., CISA Alert AA23‑045A). Watch whether Vimeo meets the April 30 deadline, if any data appears on leak sites, and whether other Anodot‑linked firms disclose similar incidents.