Vercel, a prominent app and website hosting provider, revealed on Thursday that hackers had accessed sensitive customer information prior to a recent data breach, indicating potential wider security concerns. This announcement came as part of an update on their security incident page, where the company detailed findings from an expanded investigation.
The company confirmed that a limited number of customer accounts showed signs of compromise that occurred before the early-April breach. These compromises may have arisen from various methods, including social engineering and malware attacks.
In addition to the earlier findings, Vercel noted that more accounts were compromised as a result of the April incident, although specific details remain undisclosed. Customers identified as affected have been notified accordingly.
Initially, Vercel attributed the breach to an employee who inadvertently downloaded an application from Context AI, a software startup. This action allowed hackers to exploit the employee's work account, leading to unauthorized access to Vercel's internal systems.
The latest update suggests that the breach could be more extensive and may have persisted longer than previously believed. Vercel's CEO, Guillermo Rauch, indicated in a post on X that the hackers' activities extended beyond the initial compromise at Context AI, which also acknowledged a previous breach of its own systems.
A spokesperson for Vercel refrained from commenting further, not confirming the number of affected customers or the timeline of the second compromise. However, Rauch pointed to early indicators that malware was used to infiltrate systems, specifically targeting valuable access tokens.
This malware, often referred to as infostealers, masquerades as legitimate software and can extract sensitive information such as passwords and private keys from infected devices. Once attackers gain access to these keys, they can execute rapid and extensive operations within the compromised system.
Rauch emphasized that the logs indicated a consistent pattern of swift API usage following the breach, focusing on gathering non-sensitive environment variables. The hackers utilized the compromised employee's account to access various internal systems, which included unencrypted customer credentials.
Research has suggested that the breach at Vercel may not only impact its own customers but could also extend to other companies, with the potential for more victims to emerge as investigations continue.
