Video hosting platform Vimeo confirmed a data breach impacting approximately 119,000 users after the ShinyHunters extortion group accessed personal information through a security incident at Anodot, a third-party analytics vendor. The breach occurred in April 2026, and ShinyHunters subsequently listed Vimeo on their extortion portal as part of a pay-or-leak campaign before publishing hundreds of gigabytes of stolen data.

According to breach notification service Have I Been Pwned, the compromised data primarily consists of technical information, video titles, and metadata. The breach also exposed 119,000 unique email addresses, sometimes accompanied by user names. Vimeo emphasized that the incident did not compromise video content, valid user login credentials, or payment card information, and that services remained operational throughout the incident.

The attack vector involved Anodot, an analytics vendor used by Vimeo and numerous other companies. ShinyHunters, a cybercrime group known for targeting large organizations through social engineering and voice phishing techniques, gained unauthorized access to Vimeo data stored within Anodot's systems. The group typically focuses on stealing credentials to access software-as-a-service platforms like Salesforce, Okta, and Microsoft 365. Following Vimeo's public disclosure, ShinyHunters released a 106GB archive of stolen documents on their Tor-based data leak site.

The breach highlights the persistent risks associated with third-party vendor relationships in the software supply chain. ShinyHunters operates as part of a loosely connected network of primarily young, English-speaking cybercriminals who use leak sites to pressure victims into paying ransoms in cryptocurrency. Recent targets of the group include the European Commission, Odido, Figure, Canada Goose, Rockstar, and SoundCloud, demonstrating their focus on high-profile organizations across multiple sectors.

In response to the incident, Vimeo immediately disabled Anodot's access to its systems and removed the integration entirely. The company has engaged external security experts to assist with the investigation and has notified law enforcement authorities. Vimeo stated that its investigation is ongoing and committed to sharing updates as additional details emerge. Users whose data was exposed should remain vigilant for phishing attempts that may reference their video titles or other exposed metadata to appear legitimate.

Source: https://securityaffairs.com/191715/data-breach/vimeo-confirms-breach-via-third-party-vendor-impacts-119k-users.html